You are not logged in.
Hello,
I checked the wiki page on Signature checking which states that keys can be automatically fetched by uncommenting the keyserver-options auto-key-retrieve option in ~/.gnupg/gpg.conf. Hence, I uncommented the option and tried building a package but gpg fails to automatically fetch a key which is not yet included in my ~/.gnupg/pubring.gpg:
:: Retrieving package(s)...
:: Checking openssl098 integrity...
==> Making package: openssl098 0.9.8.zd-1 (Do 8. Jan 23:50:42 CET 2015)
==> Retrieving sources...
-> Found openssl-0.9.8zd.tar.gz
-> Found openssl-0.9.8zd.tar.gz.asc
-> Found no-rpath.patch
-> Found ca-dir.patch
==> Validating source files with sha256sums...
openssl-0.9.8zd.tar.gz ... Passed
openssl-0.9.8zd.tar.gz.asc ... Skipped
no-rpath.patch ... Passed
ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
openssl-0.9.8zd.tar.gz ... FAILED (unknown public key D9C4D26D0E604491)
==> ERROR: One or more PGP signatures could not be verified!
:: failed to verify openssl098 integrity
~ ❯ cat ~/.gnupg/gpg.conf | grep auto-key
# auto-key-retrieve = automatically fetch keys as needed from the keyserver
keyserver-options auto-key-retrieve
Does someone know how the auto-key-retrieve is supposed to work?
Many thanks!
Robert
Last edited by orschiro (2015-01-09 14:43:28)
Offline
I've never used this ... but:
If a signature file in the form of .sig is part of the PKGBUILD source array ...
==> Retrieving sources...
-> Found openssl-0.9.8zd.tar.gz
-> Found openssl-0.9.8zd.tar.gz.asc
-> Found no-rpath.patch
-> Found ca-dir.patch
Why would you expect this to work, there is no .sig file in the PKGBUILD source array.
"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman
Offline
Reading the Comments at AUR for openssl098 0.9.8.zd-1, a user comments,
gpg --recv-keys D9C4D26D0E604491
and another "it worked"!
Can anyone parse what these chaps are saying?
Offline
┌─[Veles ~]
└─╼ gpg --search-keys D9C4D26D0E604491
gpg: data source: http://pool-96-231-38-100.washdc.fios.verizon.net:11371
(1) Matt Caswell <matt@openssl.org>
Matt Caswell <frodo@baggins.org>
2048 bit RSA key 0E604491, created: 2013-04-30
Keys 1-1 of 1 for "D9C4D26D0E604491". Enter number(s), N)ext, or Q)uit > n
He appears to be (one of) the OpenSSL devs. `--recv-keys` would import his key to your local keyring....
Note, the PKGBUILD specifies his key:
validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')
source=("https://www.openssl.org/source/${_pkgbasename}-${_ver}.tar.gz"{,.asc}
See here for more detail about keys in PKGBUILDs: http://allanmcrae.com/2015/01/two-pgp-k … rch-linux/
# edit: worked for me:
==> Validating source files with sha256sums...
openssl-0.9.8zd.tar.gz ... Passed
openssl-0.9.8zd.tar.gz.asc ... Skipped
no-rpath.patch ... Passed
ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
openssl-0.9.8zd.tar.gz ... Passed
==> Extracting sources...
-> Extracting openssl-0.9.8zd.tar.gz with bsdtar
==> Starting build()...
With the additonal line in my conf:
keyserver-options auto-key-retrieve
auto-key-locate hkp://pool.sks-keyservers.net
Offline
@jasonwryan
With the additonal line in my conf:
keyserver-options auto-key-retrieve
auto-key-locate hkp://pool.sks-keyservers.net
Can confirm that this works for the abovementioned package. Thanks!
However, tried a different package, palemoon-bin, for which this option is still not sufficient:
==> Making package: palemoon-bin 25.1.0-1 (Fr 9. Jan 12:07:56 CET 2015)
==> Retrieving sources...
-> Found palemoon-25.1.0.en-US.linux-x86_64.tar.bz2
-> Found palemoon-25.1.0.en-US.linux-x86_64.tar.bz2.sig
-> Found palemoon.desktop
==> Validating source files with sha1sums...
palemoon-25.1.0.en-US.linux-x86_64.tar.bz2 ... Passed
palemoon-25.1.0.en-US.linux-x86_64.tar.bz2.sig ... Skipped
palemoon.desktop ... Passed
==> Verifying source file signatures with gpg...
palemoon-25.1.0.en-US.linux-x86_64.tar.bz2 ... FAILED (the public key B85ADF545913F109BDD609390303DADA702F886A is not trusted)
==> ERROR: One or more PGP signatures could not be verified!
:: failed to verify palemoon-bin integrity
This one provides a .sig, however.
Offline
That PKGBUILD doesn't have a validpgpkeys entry with the PGP keys listed or you haven't trusted the PGP key yourself, which is why it's kicking out the error.
By adding a validpgpkeys or locally trusting the gpg key in your gpg keyring, you are saying you trust the PGP is valid though.
Last edited by clfarron4 (2015-01-09 11:31:29)
Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository
Offline