You are not logged in.

#26 2017-08-27 17:53:52

Slithery
Forum Moderator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 3,713

Re: [solved] Cannot install faulty signed packages

Something went wrong with your copy/paste. Remove the [⁣url] and [/⁣url] from your command.

Last edited by Slithery (2017-08-27 17:54:50)


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Online

#27 2017-08-27 18:36:54

Llama
Banned
From: St.-Petersburg, Russia
Registered: 2008-03-03
Posts: 1,379

Re: [solved] Cannot install faulty signed packages

Thanks!

Offline

#28 2017-09-02 17:24:20

flipso
Member
Registered: 2017-09-01
Posts: 1

Re: [solved] Cannot install faulty signed packages

MIT pgp link worked for me.

Offline

#29 2017-09-11 11:54:43

hoschi
Member
From: Ulm (Germany)
Registered: 2008-11-03
Posts: 409

Re: [solved] Cannot install faulty signed packages

Hello!

FIX:

pacman -Sy archlinux-keyring

I want ask and suggest to improve the administrative situation or even code to ensure that something similiar in future doesn't happen again. It really scares users, because a key-sign-error actually should scare users and the right thing is - not fix it by hand! Am I right, that a key was made available to a maintainer who used it for [stable] while it was only available in [testing] and even later - only available through direct upgrade of archlinux-keyring or via a built-in gpg online-check? At least the later one is really ugly, nice if it works, but you cannot ever rely on it. Either you haven't online-access or a proxy/firewall restricts online-access (happens often with gpg).

In my case I was on holiday for two weeks. I'm sitting behind a corporate firewall/proxy, which means gpg online-checkups don't work:

pacman -Syyu
:: Synchronizing package databases...
 core                                                                                  124.4 KiB  4.67M/s 00:00 [###################################################################] 100%
 extra                                                                                1649.7 KiB  2.50M/s 00:01 [###################################################################] 100%
 community                                                                               4.0 MiB  1354K/s 00:03 [###################################################################] 100%
:: Starting full system upgrade...
:: Replace flatpak with extra/flatpak-builder? [Y/n] y
resolving dependencies...
looking for conflicting packages...
:: openmotif and lesstif are in conflict. Remove lesstif? [y/N] y

Packages (133) android-tools-8.0.0_r4-2  archlinux-appstream-data-20170909-1  archlinux-keyring-20170823-1  babl-0.1.30-1  binutils-2.29.0-1  btrfs-progs-4.12.1-1  cairo-perl-1.106-5
               chromium-61.0.3163.79-1  cmake-3.9.2-2  coreutils-8.28-1  curl-7.55.1-2  dnsmasq-2.77-4  e2fsprogs-1.43.6-1  empathy-3.12.14-1  exempi-2.4.3+2+g65a8492-1  expat-2.2.4-1
               fakeroot-1.22-1  fbida-2.13-2  file-5.32-1  firefox-55.0.3-1  flatpak-0.9.10-2  flatpak-0.9.8-1 [removal]  flatpak-builder-0.9.9-1  fontconfig-2.12.5-1
               foomatic-db-engine-4:4.0.12-6  fwupd-0.9.7-1  fwupdate-9-2  gcc-7.2.0-2  gcc-libs-7.2.0-2  gd-2.2.5-1  gdb-8.0.1-1  gdb-common-8.0.1-1  gegl-0.3.20-1  glib-perl-1.324-4
               glibc-2.26-3  gnome-online-accounts-3.24.3-1  gnome-photos-3.24.3-1  gnupg-2.2.0-1  go-2:1.9-1  gource-0.47-1  gpm-1.20.7-8  graphviz-2.40.1-9  gsm-1.0.17-1
               gtk-update-icon-cache-3.22.20-1  gtk2-perl-1.2498-7  gtk3-3.22.20-1  gtk3-print-backends-3.22.20-1  gtkspell-2.0.16-5  harfbuzz-1.5.1-1  harfbuzz-icu-1.5.1-1
               hunspell-1.6.2-1  iana-etc-20170824-1  imagemagick-6.9.9.12-1  iproute2-4.13.0-1  lesstif-0.95.2-6 [removal]  libblockdev-2.11-1  libdrm-2.4.83-1  libgcrypt-1.8.1-1
               libinput-1.8.2-1  libldap-2.4.45-4  liblouis-3.3.0-1  libmms-0.6.4-2  libperconaserverclient-5.7.19_17-2  libpng-1.6.32-1  libproxy-0.4.15-6  libpulse-11.0-1
               libpurple-2.12.0-4  libraw-0.18.3-1  libreoffice-fresh-5.4.1-1  libreoffice-fresh-de-5.4.1-1  libtommath-1.0.1-1  libtool-2.4.6+40+g6ca5e224-1  libva-mesa-driver-17.2.0-2
               libvirt-3.7.0-1  libvirt-python2-3.7.0-1  libxml2-2.9.5+6+g07e227ed-1  libxslt-1.1.30-1  linux-4.12.12-1  linux-api-headers-4.12.7-1  linux-headers-4.12.12-1
               lua52-bitop-1.0.2-8  mesa-17.2.0-2  mkinitcpio-23-2  nano-2.8.7-1  ncurses-6.0+20170902-1  net-snmp-5.7.3-7  ninja-1.8.1-1  opencv-3.3.0-2  openmotif-2.3.7-1
               os-prober-1.76-1  p11-kit-0.23.8-1  pacman-mirrorlist-20170907-1  pango-1.40.12-1  pango-perl-1.227-8  parallel-20170822-1  pcsc-perl-1.4.14-5  percona-server-5.7.19_17-2
               percona-server-clients-5.7.19_17-2  perl-5.26.0-4  perl-clone-0.39-4  perl-dbi-1.637-3  perl-error-0.17025-2  perl-file-which-1.21-3  perl-xml-libxml-2.0129-4
               perl-xml-parser-2.44-6  postgresql-libs-9.6.5-1  pulseaudio-11.0-1  pulseaudio-bluetooth-11.0-1  python-setuptools-1:36.3.0-1  python2-pyasn1-0.3.4-1
               python2-setuptools-1:36.3.0-1  qemu-2.10.0-1  rapidsvn-0.12.1-12  rhash-1.3.5-2  seahorse-3.20.0+105+gb31e32fe-1  sqlite-3.20.1-1  subversion-1.9.7-3
               thin-provisioning-tools-0.7.1-1  tslib-1.12-1  valgrind-3.13.0-3  vim-8.0.1066-1  vim-runtime-8.0.1066-1  virt-install-1.4.2-2  virt-manager-1.4.2-2
               vulkan-icd-loader-1.0.57.0-1  whois-5.2.18-1  wireshark-cli-2.4.1-1  wireshark-common-2.4.1-1  wireshark-gtk-2.4.1-1  wxgtk-common-3.0.3.1-9  wxgtk3-3.0.3.1-9
               xdg-user-dirs-0.16-1  xf86-video-intel-1:2.99.917+781+gc8990575-1

Total Download Size:    380.87 MiB
Total Installed Size:  2605.76 MiB
Net Upgrade Size:         3.45 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 gcc-7.2.0-2-x86_64                                                                     29.2 MiB  1183K/s 00:25 [###################################################################] 100%
 linux-4.12.12-1-x86_64                                                                 64.6 MiB  2.32M/s 00:28 [###################################################################] 100%
 chromium-61.0.3163.79-1-x86_64                                                         55.6 MiB  3.27M/s 00:17 [###################################################################] 100%
 gsm-1.0.17-1-x86_64                                                                    34.4 KiB  0.00B/s 00:00 [###################################################################] 100%
 firefox-55.0.3-1-x86_64                                                                35.7 MiB  3.48M/s 00:10 [###################################################################] 100%
 flatpak-builder-0.9.9-1-x86_64                                                        114.8 KiB  1823K/s 00:00 [###################################################################] 100%
 go-2:1.9-1-x86_64                                                                      44.4 MiB  2.38M/s 00:19 [###################################################################] 100%
 libreoffice-fresh-5.4.1-1-x86_64                                                       93.6 MiB  2.97M/s 00:32 [###################################################################] 100%
 opencv-3.3.0-2-x86_64                                                                  23.5 MiB  2.89M/s 00:08 [###################################################################] 100%
 percona-server-5.7.19_17-2-x86_64                                                      34.1 MiB  3.29M/s 00:10 [###################################################################] 100%
(131/131) checking keys in keyring                                                                              [###################################################################] 100%
downloading required keys...
error: key "4A1AFC345EBE18F8" could not be looked up remotely
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.

So the installed archlinux-keyring-20170611-1 didn't contained the key and current archlinux-keyring-20170823-1 [stable] was due to installation, but of course not in use during the upgrade. This fixed it:

pacman -Sy archlinux-keyring
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20170823-1

Total Installed Size:  0.96 MiB
Net Upgrade Size:      0.07 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                                  [###################################################################] 100%
(1/1) checking package integrity                                                                                [###################################################################] 100%
(1/1) loading package files                                                                                     [###################################################################] 100%
(1/1) checking for file conflicts                                                                               [###################################################################] 100%
(1/1) checking available disk space                                                                             [###################################################################] 100%
:: Processing package changes...
(1/1) upgrading archlinux-keyring                                                                               [###################################################################] 100%
==> Appending keys from archlinux.gpg...
key 786C63F330D7CB92:
2 signatures not checked due to missing keys
key A5E9288C4FA415FA:
5 signatures not checked due to missing keys
==> Locally signing trusted keys in keyring...
  -> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
  -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
  -> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
  -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
  -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
==> Importing owner trust values...
==> Disabling revoked keys in keyring...
  -> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
  -> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
  -> Disabling key 40440DC037C05620984379A6761FAD69BA06C6A9...
  -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
  -> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
  -> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
  -> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
  -> Disabling key 5E7585ADFF106BFFBBA319DC654B877A0864983E...
  -> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
  -> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
  -> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
  -> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
  -> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
  -> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
  -> Disabling key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
==> Updating trust database...
gpg: next trustdb check due at 2017-10-20
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...

Ironically - I have been affected by a generall outage on my DSL-Line at home, since my return from holiday. So even if I download all the upgraded packages for offline usage, the built-in gpg-check which needs a "free internet" will also fail if archlinux-keyring-20170823-1-any.pkg.tar.xz is not installed earlier. We shall not assume stable and correct working internet.

Thanks

Last edited by hoschi (2017-09-11 12:10:59)

Offline

#30 2017-09-12 02:03:07

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,161

Re: [solved] Cannot install faulty signed packages

hoschi wrote:

I want ask and suggest to improve the administrative situation or even code to ensure that something similiar in future doesn't happen again. It really scares users, because a key-sign-error actually should scare users and the right thing is - not fix it by hand!

That would be okay then, because this wasn't a keysign error. It was a keymissing error, which is completely different and not scary at all.

Am I right, that a key was made available to a maintainer who used it for [stable] while it was only available in [testing] and even later - only available through direct upgrade of archlinux-keyring or via a built-in gpg online-check? At least the later one is really ugly, nice if it works, but you cannot ever rely on it. Either you haven't online-access or a proxy/firewall restricts online-access (happens often with gpg).

No, it was not only available in testing. It was also immediately available on public keyservers.

Ironically - I have been affected by a generall outage on my DSL-Line at home, since my return from holiday. So even if I download all the upgraded packages for offline usage, the built-in gpg-check which needs a "free internet" will also fail if archlinux-keyring-20170823-1-any.pkg.tar.xz is not installed earlier. We shall not assume stable and correct working internet.

We don't, it doesn't matter whether you download the key from the internet, transfer it via USB, or print it to a piece of paper and then scan it back into the second computer. But I'd recommend just using a keyserver that operates over port 443, the standard HTTPS port which shouldn't be firewalled.

Or... just do exactly as you did and update the archlinux-keyring package...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#31 2017-09-12 09:53:35

hoschi
Member
From: Ulm (Germany)
Registered: 2008-11-03
Posts: 409

Re: [solved] Cannot install faulty signed packages

I'm sorry, but I seem not to share your viewpoint. GPG has to work here silently as background-service without interaction of the user, we are using pacman for package-management and shouldn't care about GPG. So I definitely prefer the package update over manuallay configuring key-servers for GPG (which must meet certain requirements like available keys and ports...). GPG is good and the right way for building trust-chains, without own voodoo and staying with pacman as single interface avoids pitfalls. Manually working with GPG and relying on a connetion the random key-servers is apt to fail.

I remember a change in this a long time ago, about enforcing or not enforcing pacman-updates as first in sequence. Probably the point is, that updates of archlinux-keyring should execute always as first. This allows adding/removing keys for maintainers and instantly usage of the keys through the maintainers smile

Last edited by hoschi (2017-09-12 09:56:39)

Offline

#32 2017-09-12 10:12:33

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,161

Re: [solved] Cannot install faulty signed packages

hoschi wrote:

I'm sorry, but I seem not to share your viewpoint.

You should be sorry. Because you're also not sharing the viewpoint of like everyone involved in developing Arch Linux.

GPG has to work here silently as background-service without interaction of the user, we are using pacman for package-management and shouldn't care about GPG. So I definitely prefer the package update over manuallay configuring key-servers for GPG (which must meet certain requirements like available keys and ports...). GPG is good and the right way for building trust-chains, without own voodoo and staying with pacman as single interface avoids pitfalls. Manually working with GPG and relying on a connetion the random key-servers is apt to fail.

"has to"? Absolutely not, this is about your own personal wants, not universal needs. This was only even noticeable because your gpg configuration was broken, it is not pacman's fault that a software it relies on was broken.

I remember a change in this a long time ago, about enforcing or not enforcing pacman-updates as first in sequence. Probably the point is, that updates of archlinux-keyring should execute always as first. This allows adding/removing keys for maintainers and instantly usage of the keys through the maintainers smile

This is why the advice is to `pacman -Sy archlinux-keyring && pacman -Su`. If you don't like it, too bad, there is an extraordinarily good reason enforcing such things in pacman itself was long ago removed, feel free to use Manjaro if you think Arch Linux is just full of stupid people who don't understand package management -- they patched support for this back into pacman.

In fact, feel free to use Manjaro anyway, their whole schtick is "like Arch Linux, except you don't need to think about how you update" which seems to be exactly what you want.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#33 2017-09-12 11:46:13

hoschi
Member
From: Ulm (Germany)
Registered: 2008-11-03
Posts: 409

Re: [solved] Cannot install faulty signed packages

Thanks for your friendly tone. I didn't configured anything manually around GPG and PACMAN, because the officiall installation-guide cares about all of this in one step:

# pacstrap /mnt base base-devel

PACSTRAP copys, by default, the keyring from the installation-host.

On migration from PACMAN < 4.0 or to setup the PACMAN-KEYRING manually the following two steps are necessary:

# pacman-key --init
# pacman-key --populate archlinux

The possible solutions are already mentioned in the wiki. Probably your point is, that everybody has to know  - that new keys are already used to sign packages, which are likely not available on the user-system during a regular pacman -Syu. This is a lack of knowledge on my side.

This was only even noticeable because your gpg configuration was broken...

You presume here, that the user (i.e. me) has broken something.

Last edited by hoschi (2017-09-12 11:58:46)

Offline

#34 2017-09-12 22:51:46

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,161

Re: [solved] Cannot install faulty signed packages

1) No one said you had to configure anything yourself. That's why pacman-key exists... and it's also why we have information sources available for people who need to modify defaults that aren't working (either because of your firewall configuration, or simply because of a bug in gpg, does not make a difference in the outcome).

2) No one said you broke gpg, but it is certainly broken regardless on account of pacman's attempt to download a gpg key using gpg wouldn't fail... by definition it is "gpg" that is broken there, and it is therefore truthful to say "your gpg configuration is broken".

3) I am still not sure what your ideal solution that doesn't involve following the wiki directions might be. But I do know that this discussion is not currently being productive. You now have a couple choices:

a) Accept that this is the way things are intended, and resolve in future to follow the Wiki's advice.

b) Suggest some real, practical solution that does not violate the Arch Linux philosophy. Telling seblu he isn't allowed to publish package updates until the archlinux-keyring package migrates to core is not a solution BTW. For bonus points, the solution would do something actually useful like account for an expired key that needs to be updated in order to update the archlinux-keyring package itself.
I am pretty sure that solution is most likely "download key updates from a public gpg server". Teaching users how to debug gpg -- a usually-invisible aspect of pacman automatically configured for you by pacman-key/pacstrap -- when it breaks is a perfectly valid accompaniment to this.

c) Continue arguing here, after the current issue has already been solved, in a manner that achieves absolutely nothing other than a philosophy debate with me, eschwartz, who has no power to force allan to change anything in pacman, or the entire Dev and TU teams to hold to some arbitrary personal signing key management strategy. Which will eventually achieve a moderator getting sick of it, and closing the thread to stop you. You don't want to be that person. wink

Last edited by eschwartz (2017-09-12 22:55:07)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#35 2017-09-13 05:52:31

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 9,524
Website

Re: [solved] Cannot install faulty signed packages

c) Continue arguing here, after the current issue has already been solved, in a manner that achieves absolutely nothing

I am going to remove this option from the table to prevent this topic veering any further into TGN.

Closing.


Sakura:-
Mobo: MSI X299 TOMAHAWK ARCTIC // Processor: Intel Core i7-7820X 3.6GHz // GFX: nVidia GeForce GTX 970 // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 5x 1TB HDD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Board footer

Powered by FluxBB