You are not logged in.

#1 2015-01-08 22:59:56

orschiro
Member
Registered: 2009-06-04
Posts: 2,136
Website

[solved] Signature checking: keyserver-options auto-key-retrieve

Hello,

I checked the wiki page on Signature checking which states that keys can be automatically fetched by uncommenting the keyserver-options auto-key-retrieve option in ~/.gnupg/gpg.conf. Hence, I uncommented the option and tried building a package but gpg fails to automatically fetch a key which is not yet included in my ~/.gnupg/pubring.gpg:

:: Retrieving package(s)...
:: Checking openssl098 integrity...
==> Making package: openssl098 0.9.8.zd-1 (Do 8. Jan 23:50:42 CET 2015)
==> Retrieving sources...
  -> Found openssl-0.9.8zd.tar.gz
  -> Found openssl-0.9.8zd.tar.gz.asc
  -> Found no-rpath.patch
  -> Found ca-dir.patch
==> Validating source files with sha256sums...
    openssl-0.9.8zd.tar.gz ... Passed
    openssl-0.9.8zd.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-0.9.8zd.tar.gz ... FAILED (unknown public key D9C4D26D0E604491)
==> ERROR: One or more PGP signatures could not be verified!
:: failed to verify openssl098 integrity
~ ❯ cat ~/.gnupg/gpg.conf | grep auto-key
# auto-key-retrieve = automatically fetch keys as needed from the keyserver
keyserver-options auto-key-retrieve

Does someone know how the auto-key-retrieve is supposed to work?

Many thanks!

Robert

Last edited by orschiro (2015-01-09 14:43:28)

Offline

#2 2015-01-08 23:43:01

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 21,923
Website

Re: [solved] Signature checking: keyserver-options auto-key-retrieve

I've never used this ... but:

wiki wrote:

If a signature file in the form of .sig is part of the PKGBUILD source array ...

==> Retrieving sources...
  -> Found openssl-0.9.8zd.tar.gz
  -> Found openssl-0.9.8zd.tar.gz.asc
  -> Found no-rpath.patch
  -> Found ca-dir.patch

Why would you expect this to work, there is no .sig file in the PKGBUILD source array.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2015-01-09 02:09:15

hcra
Member
From: Oregon
Registered: 2013-04-20
Posts: 56

Re: [solved] Signature checking: keyserver-options auto-key-retrieve

Reading the Comments at AUR for openssl098 0.9.8.zd-1, a user comments,

gpg --recv-keys D9C4D26D0E604491

and another "it worked"!

Can anyone parse what these chaps are saying?

Offline

#4 2015-01-09 02:31:01

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 27,746
Website

Re: [solved] Signature checking: keyserver-options auto-key-retrieve

┌─[Veles ~]
└─╼ gpg --search-keys D9C4D26D0E604491
gpg: data source: http://pool-96-231-38-100.washdc.fios.verizon.net:11371
(1)     Matt Caswell <matt@openssl.org>
        Matt Caswell <frodo@baggins.org>
          2048 bit RSA key 0E604491, created: 2013-04-30
Keys 1-1 of 1 for "D9C4D26D0E604491".  Enter number(s), N)ext, or Q)uit > n

He appears to be (one of) the OpenSSL devs. `--recv-keys` would import his key to your local keyring....

Note, the PKGBUILD specifies his key:

validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491')
source=("https://www.openssl.org/source/${_pkgbasename}-${_ver}.tar.gz"{,.asc}

See here for more detail about keys in PKGBUILDs: http://allanmcrae.com/2015/01/two-pgp-k … rch-linux/

# edit: worked for me:

==> Validating source files with sha256sums...
    openssl-0.9.8zd.tar.gz ... Passed
    openssl-0.9.8zd.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ca-dir.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-0.9.8zd.tar.gz ... Passed
==> Extracting sources...
  -> Extracting openssl-0.9.8zd.tar.gz with bsdtar
==> Starting build()...

With the additonal line in my conf:

keyserver-options auto-key-retrieve
auto-key-locate hkp://pool.sks-keyservers.net

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#5 2015-01-09 11:23:07

orschiro
Member
Registered: 2009-06-04
Posts: 2,136
Website

Re: [solved] Signature checking: keyserver-options auto-key-retrieve

@jasonwryan

With the additonal line in my conf:

keyserver-options auto-key-retrieve
auto-key-locate hkp://pool.sks-keyservers.net

Can confirm that this works for the abovementioned package. Thanks!

However, tried a different package, palemoon-bin, for which this option is still not sufficient:

==> Making package: palemoon-bin 25.1.0-1 (Fr 9. Jan 12:07:56 CET 2015)
==> Retrieving sources...
  -> Found palemoon-25.1.0.en-US.linux-x86_64.tar.bz2
  -> Found palemoon-25.1.0.en-US.linux-x86_64.tar.bz2.sig
  -> Found palemoon.desktop
==> Validating source files with sha1sums...
    palemoon-25.1.0.en-US.linux-x86_64.tar.bz2 ... Passed
    palemoon-25.1.0.en-US.linux-x86_64.tar.bz2.sig ... Skipped
    palemoon.desktop ... Passed
==> Verifying source file signatures with gpg...
    palemoon-25.1.0.en-US.linux-x86_64.tar.bz2 ... FAILED (the public key B85ADF545913F109BDD609390303DADA702F886A is not trusted)
==> ERROR: One or more PGP signatures could not be verified!
:: failed to verify palemoon-bin integrity

This one provides a .sig, however.

Offline

#6 2015-01-09 11:29:46

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,162
Website

Re: [solved] Signature checking: keyserver-options auto-key-retrieve

That PKGBUILD doesn't have a validpgpkeys entry with the PGP keys listed or you haven't trusted the PGP key yourself, which is why it's kicking out the error.

By adding a validpgpkeys or locally trusting the gpg key in your gpg keyring, you are saying you trust the PGP is valid though.

Last edited by clfarron4 (2015-01-09 11:31:29)


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#7 2015-01-09 14:43:02

orschiro
Member
Registered: 2009-06-04
Posts: 2,136
Website

Re: [solved] Signature checking: keyserver-options auto-key-retrieve

By adding a validpgpkeys or locally trusting the gpg key in your gpg keyring, you are saying you trust the PGP is valid though.

That makes sense, thanks!

Offline

Board footer

Powered by FluxBB