makepkg fails inexplicably on PGP verification

ewtoombs · 2013-04-08 19:40:10

I'm currently trying to install cower. I downloaded the tarball, cded and ran makepkg -si. Then makepkg said

==> Making package: cower 9-1 (Mon Apr  8 14:49:25 EDT 2013)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found cower-9.tar.gz
  -> Found cower-9.tar.gz.sig
==> Validating source files with md5sums...
    cower-9.tar.gz ... Passed
    cower-9.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    cower-9.tar.gz ... FAILED
==> ERROR: One or more PGP signatures could not be verified!

without even telling me why it failed. I thought maybe the signer's key wasn't in the keyring. The signer was falconindy, aka Dave Reisner. I looked for him in the keyring, and sure enough, he was there. I even checked the signature myself, and it came back positive:

pacman-key -v cower-9.tar.gz.sig
==> Checking cower-9.tar.gz.sig ...
gpg: Signature made 2013-04-04T20:17:15 EDT using RSA key ID F56C0C53
gpg: NOTE: trustdb not writable
gpg: Good signature from "Dave Reisner <d@falconindy.com>"
gpg:                 aka "Dave Reisner <dreisner@archlinux.org>"

So, I am completely baffled by makepkg's failure to verify this signature. Any help would be greatly appreciated. In the meantime, I just added --skippgpcheck in makepkg's invocation.

edit: added code tags /Xyne

Last edited by Xyne (2013-07-08 17:15:30)

Xyne · 2013-04-08 20:02:37

Makepkg uses the user's keyring, not the system keyring. It has been brought up before. I think there may be a bug report but I am not sure. You have the following options:

1) use makepkg's --skippgpcheck option (and manually check with pacman-key as you have already done)
2) add the key to your own keyring
3) patch makepkg (and submit the patches upstream)

ewtoombs · 2013-04-08 20:11:48

Oh, that explains everything. Perhaps it would be best for makepkg to default to the system keyring. I'll make a patch later when I have more time on my hands. Thanks for the help, though!

ackalker · 2013-07-07 20:46:34

ewtoombs wrote:

Oh, that explains everything. Perhaps it would be best for makepkg to default to the system keyring. I'll make a patch later when I have more time on my hands. Thanks for the help, though!

Since this issue has not been marked as [SOLVED], and I'm having the very same problem while building pacman, I don't feel ashamed of digging up this corpse of a thread and bringing it back alive.
@ewtoombs, have you had the time to make this patch yet?

[EDIT] Found another (even older) thread with a very simple, working solution. Perhaps this is worth adding to the Wiki.

Last edited by ackalker (2013-07-07 21:05:09)

falconindy · 2013-07-08 00:19:30

No need to patch makepkg, just modify your /etc/makepkg.conf if you want to use the packager keyring:

export GNUPGHOME=/etc/pacman.d/gnupg

I don't think this is really a good idea, though. The packager keyring must be an island -- you should use it for package verification and nothing else (think of it as internal API for pacman). Building packages is a per-user operation. Source tarball verification should be treated as per-user as well.

Allan · 2013-07-08 01:12:40

Hrm... having an unknown public key only results in a warning in makepkg. That will result in a "FAILED" check, but this should not stop building at all.

Arch Linux

#1 2013-04-08 19:40:10

makepkg fails inexplicably on PGP verification

#2 2013-04-08 20:02:37

Re: makepkg fails inexplicably on PGP verification

#3 2013-04-08 20:11:48

Re: makepkg fails inexplicably on PGP verification

#4 2013-07-07 20:46:34

Re: makepkg fails inexplicably on PGP verification

#5 2013-07-08 00:19:30

Re: makepkg fails inexplicably on PGP verification

#6 2013-07-08 01:12:40

Re: makepkg fails inexplicably on PGP verification

Board footer