[SOLVED] PGP signature could not be verified!

sirdle · 2014-12-30 06:59:48

I am trying to install password safe from the AUR.

I have downloaded and un-tarred the tar.gz file but when I execute makepkg -s I get the following error:

$ makepkg -s
==> Making package: passwordsafe 0.94.1BETA-1 (Mon Dec 29 21:41:00 PST 2014)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found pwsafe-0.94.1BETA-src.tgz
  -> Found pwsafe-0.94.1BETA-src.tgz.sig
==> Validating source files with md5sums...
    pwsafe-0.94.1BETA-src.tgz ... Passed
    pwsafe-0.94.1BETA-src.tgz.sig ... Passed
==> Verifying source file signatures with gpg...
    pwsafe-0.94.1BETA-src.tgz ... FAILED (unknown public key 919464515CCF8BB3)

Following the instructions on the "Package Signing" wiki, I:

$ sudo pacman -S haveged 
$ sudo systemctl start haveged.service
$ sudo pacman-key --init
$ sudo pacman-key --populate archlinux

$ sudo pacman-key --add pwsafe-0.94.1BETA-src.tgz.sig
[sudo] password for xxxxx: 
==> Updating trust database...
gpg: next trustdb check due at 2016-01-22

makepkg -s still fails at this point.

The next steps on the wiki call for:
1. verifying the fingerprint with: $ pacman-key -f keyid, and
2. locally signing the imported key with: # pacman-key --lsign-key keyid

How do I determine the "keyid"?

If I use the 'public key' returned in the error message above, I get:

$ pacman-key -f 919464515CCF8BB3
gpg: Note: trustdb not writable
gpg: error reading key: No public key
==> ERROR: The fingerprint of a specified key could not be determined.

And if I use the name of the file I downloaded with the tar, I get:

$ pacman-key -f pwsafe-0.94.1BETA-src.tgz.sig
gpg: Note: trustdb not writable
gpg: error reading key: No public key
==> ERROR: The fingerprint of a specified key could not be determined.

I even tried un-tarring the signature... but that didn't work either.

$ tar xzvf pwsafe-0.94.1BETA-src.tgz.sig

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

I also searched through pacman's keyring directly with:

$ gpg --homedir /etc/pacman.d/gnupg --list-keys

but I didn't see the packager's name or email address anywhere.

A nudge in the right direction would be greatly appreciated.

Cheers,

Last edited by sirdle (2014-12-31 01:05:32)

Roken · 2014-12-30 07:04:28

Download the public key from http://pgp.mit.edu:11371/pks/lookup?op= … 515CCF8BB3 (right click and save as, somewhere easy like Desktop). The file will be called lookup. Then import:

gpg --import lookup
gpg --list-keys

then you should be good to go.

Edit: I found the public key by following the link to the upstream url.

Last edited by Roken (2014-12-30 07:05:17)

jasonwryan · 2014-12-30 07:08:10

┌─[Shiv ~ ]
└─╼ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --search-keys 919464515CCF8BB3
gpg: data source: http://itunix.eu:11371
(1)     Rony Shapiro (PasswordSafe Signing Key) <ronys@users.sourceforge.net>
          2048 bit RSA key 5CCF8BB3, created: 2011-02-10
Keys 1-1 of 1 for "919464515CCF8BB3".  Enter number(s), N)ext, or Q)uit > n

stevenhoneyman · 2014-12-30 09:10:13

I noticed this yesterday and haven't had chance to fix it/figure out what's wrong yet.

makepkg (un)helpfully uses "gpg" instead of "pacman-key" to check source files, so there's a mix-up somewhere with gpg home dirs and sudo. perhaps that's intentional... I don't know much about gpg.

pacman-key --verify {file}
gpg --verify {file}
sudo gpg --verify {file}

those all have different outputs!

Fixxer · 2014-12-30 09:17:53

To make pacman's trusted keys usefully for gpg and makepkg add this line to ~/.gnupg/gpg.conf:

keyring /etc/pacman.d/gnupg/pubring.gpg

Then as root:

pacman-key -r 919464515CCF8BB3
pacman-key -f 919464515CCF8BB3
pacman-key --lsign-key 919464515CCF8BB3

Re-run build procedure. If gpg signatures still can't be verified, add the key as regular user by gpg:

gpg --recv-keys 919464515CCF8BB3

and trust it:

gpg --edit-key 919464515CCF8BB3

When you see a gpg prompt, run command:

trust

and chosse full or ultimate.

Re-run build procedure.

Links: 1; 2.

Last edited by Fixxer (2014-12-30 09:28:41)

jjacky · 2014-12-30 13:03:42

There seems to be some confusion going on in this thread, let me quote the wiki:

The signature checking implemented in makepkg does not use pacman's keyring.

The keys managed via pacman-key (i.e. pacman's keyring) are only for package(/database) signatures, nothing to do with checking sources via makepkg. Those keys should only be added to your own keyring, no need for pacman-key or sudo then. In order for makepkg to validate the signatures, besides having the key you'll basically need to either locally sign/trust it, or (probably easier) simply add it in the PKGBUILD under validpgpkeys(); see PKGBUILD(5)

clfarron4 · 2014-12-30 13:17:50

jjacky wrote:

There seems to be some confusion going on in this thread, let me quote the wiki:
The signature checking implemented in makepkg does not use pacman's keyring.
The keys managed via pacman-key (i.e. pacman's keyring) are only for package(/database) signatures, nothing to do with checking sources via makepkg. Those keys should only be added to your own keyring, no need for pacman-key or sudo then. In order for makepkg to validate the signatures, besides having the key you'll basically need to either locally sign/trust it, or (probably easier) simply add it in the PKGBUILD under validpgpkeys(); see PKGBUILD(5)

This, what @jjacky just said, is it in a nutshell. My short flirtation with pacman 4.2.0-5 before I downgraded it again [1] showed me you only have to add the required key to your public gpg keyring with the following command and it should work, no signing or anything else required:

 gpg --recv-keys KEYID

Once done, the gpg verification should work with makepkg for that KEYID.

EDIT: Apparently, I've just said nion the same thing as @Roken, in that you import the key into your public keyring, not pacman's XD Oh well.

[1] I am currently in a land with little internet, with my last system update being 17-Dec-2014. Hence the downgrade.

Last edited by clfarron4 (2014-12-30 13:20:54)

Allan · 2014-12-30 13:18:32

Never add keys to you pacman keyring unless you want to install packages from their repo on your system

makepkg uses the keyring of the user who builds the package.

Alad · 2014-12-30 17:01:41

Tried adding

keyring /etc/pacman.d/gnupg/pubring.gpg

to

~/.gnupg/.gpg.conf

and using

gpg --recv-keys <somekey>

neither worked. Right now I have

alias makepkg='makepkg --skippgpcheck

which is supremely ugly. I'll have to try validpgpkeys() or gpg --edit-key

Last edited by Alad (2014-12-30 17:02:16)

stevenhoneyman · 2014-12-30 21:30:29

With my failed attempt earlier I was on the right track then... but it got to a point where after adding it to my public keyring it showed as "TRUST_UNDEFINED" because I hadn't signed it(?)
...then attempting to trust it, I was asked something like "Do you know this person, and trust them with all your data?", at which point I was like "err, nope." and opted for --skippgpcheck

sirdle · 2014-12-31 01:05:08

Thank you to everyone who replied!

It has taken me a while to read all the links and try to understand them.

My main problem was that I was mixing up package signing (via pacman) with package signing (via makepkg). The two are related, but separate: they both use gpg, they both use keys that can be downloaded from key servers, they both use keys that can be locally signed, they both use key-rings... but the key-rings they use are different, and process they use to install and validate those keys is also different. (Correct me if I'm wrong.)

From the Wiki

The signature checking implemented in makepkg does not use pacman's keyring.

In my case, I'm installing from the AUR. The error I received:

FAILED (unknown public key 919464515CCF8BB3)

was because makepkg could not find the supplied key in my personal key-ring.

All I needed to do was:

1. Download the key.
2. Add it to my personal key ring.
3. Trust it.

Alternatively, I could build the package by skipping the check.

Download the Key

1. Download from the MIT key server. Enter the keyid as a 16-digit hex number, e.g., 0x919464515ccf8bb3. Right-click on the result and save to the desktop [see Roken's post] above. Or,
2. Try the command line per jasonwryan's post above. (This number does not need to start with 0x.)

I tried both of these methods to verify that they work. They do.

Add the key to my personal keyring

With jasonwryan's method, the key is added as part of the command. With Roken's method an additional command is needed:

gpg --import /path/to/saved/keyfile

If I try makepkg -s at this point I still get an error... but the error is different. It is now:

FAILED (the public key A703C1328EABC7B201753BA3919464515CCF8BB3 is not trusted)

which brings us to the third step.

Trust It

$ gpg --list-keys          # to get the correct keyid
$ gpg -edit-key keyid      # from the previous command
gpg> trust

At this point, gpg asks the user how much he trusts this key. If you're like stevenhoneyman you might say, "Er... not very much" and opt for building without trust.
Or you can grant a lot of trust in order to create the package and then revoke the trust later (but I'm guessing this will cause problems when the package needs to be updated).

A level of 5 "Ultimate Trust" was required to build this package.

Thanks to everybody who helped me out with this. Definitely a learning experience!

Last edited by sirdle (2014-12-31 01:21:53)

Alad · 2015-01-22 16:13:03

Ultimate trust should ONLY be applied to your personal key. Doing so for some random software signing key is a pretty stupid idea. Proper way is to modify the PKGBUILD as described in Allan's blog post (now linked for the 9000th time).

Last edited by Alad (2015-01-22 16:15:15)

Arch Linux

#1 2014-12-30 06:59:48

[SOLVED] PGP signature could not be verified!

#2 2014-12-30 07:04:28

Re: [SOLVED] PGP signature could not be verified!

#3 2014-12-30 07:08:10

Re: [SOLVED] PGP signature could not be verified!

#4 2014-12-30 09:10:13

Re: [SOLVED] PGP signature could not be verified!

#5 2014-12-30 09:17:53

Re: [SOLVED] PGP signature could not be verified!

#6 2014-12-30 13:03:42

Re: [SOLVED] PGP signature could not be verified!

#7 2014-12-30 13:17:50

Re: [SOLVED] PGP signature could not be verified!

#8 2014-12-30 13:18:32

Re: [SOLVED] PGP signature could not be verified!

#9 2014-12-30 17:01:41

Re: [SOLVED] PGP signature could not be verified!

#10 2014-12-30 21:30:29

Re: [SOLVED] PGP signature could not be verified!

#11 2014-12-31 01:05:08

Re: [SOLVED] PGP signature could not be verified!

#12 2015-01-22 16:13:03

Re: [SOLVED] PGP signature could not be verified!

Board footer