You are not logged in.
Wasn't sure if I should put this in the AUR section or here, so I figured I'd try here first.
Basically I was wondering if there was something I could set in pacman.conf to have it ignore trying to verify packages I fetch from the AUR using a pacman wrapper like yaourt, while still checking for signatures from the official repos? Thanks for your assistance and if this is in the wrong forum I apologize in advance.
~trc
Offline
I have "SigLevel = Optional TrustedOnly" as my global level and then augment it with "SigLevel = PackageRequired" on the repos that are fully signed. This way a "pacman -U <pkg>" works without a signature there.
We will probably have an additional configuration option in the future to allow overriding the SigLevel for -U operations.
Offline
I'm trying to install a package from aur but I get the message: invalid or corrupted package (PGP signature) when issuing pacman -U
So I tried the solution mentioned above by setting "SigLevel = Optional TrustedOnly" but I still get the same message.
I even tried disabling signature checking with "Siglevel = Never" but still get the same message.
Any idea what I am doing wrong?
Offline
How did you make the package? Did the package compile OK?
@Allan,
Isn't "SigLevel = Optional TrustedOnly" the default in any case? I have this line commented in pacman.conf and I can still install AUR packages with pacman -U OK. (But checking is enabled for all the repos in pacman.conf.)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
I'm trying to install a package from aur but I get the message: invalid or corrupted package (PGP signature) when issuing pacman -U
So I tried the solution mentioned above by setting "SigLevel = Optional TrustedOnly" but I still get the same message.
I even tried disabling signature checking with "Siglevel = Never" but still get the same message.Any idea what I am doing wrong?
Have you changed makepkg.conf, specifically BUILDENV array? There is an option "sign". If it is enabled, packages from AUR (which are locally built) will be signed with your own private key. Before that your public key must be signed by your local pacman key to receive a sufficient trust level. So you have to tell us your makepkg config...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
My package compiled without errors. And just to check I tried to install another package from aur but had the same error.
Thanx for the pointer "Leonid.I"
Currently package signing is disabled in my makepkg.conf
I created my own gpg key pair (gpg --gen-key).
To add my public key to the pacman keyring I should do the following? I'm not sure if that is the correct key I'm adding
sudo pacman-key -a ~/.gnupg/pubring.gpg
and signing the package should be done as followed?
makepkg -s --sign --key ~/.gnupg/secring.gpg
But when I get this to work I would still like to know why I can't install unsigned packages without signing them myself.
This didn't present a problem in the past, so I'm wondering what changed.
Offline
Currently package signing is disabled in my makepkg.conf
makepkg.conf does not matter. It should work with the default Arch pacman.conf - post yours if you can not see what is wrong.
Offline
And then I saw it.
I only had my "SigLevel = PackageRequired" option of the testing repo uncommented.
Like this:
#[testing]
SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist
So I think this option was overriding my default Siglevel.
Thanx for the help.
Now I can install my packages from aur.
Offline