pacman-key --lsign-key on my very own key does not trust it

MicroJoe · 2017-09-27 20:31:14

Hello dear community,

I am getting in the exciting process of maintaining my own Archlinux repository for sharing packages with all my machines and maybe other people if everything goes well. With security in mind I have created a dedicated PGP key for signing my packages and Pacman database.

I have tried to import it in pacman using the following commands as described in the pacman/Package signing wiki page:

# pacman-key --add my_public_key.asc
# pacman-key --lsign-key microjoe@microjoe.org

However after these steps syncing the database will fail with the following:

 microjoe                                                                                                     1084,0   B  0,00B/s 00:00 [##################################################################################] 100%
 microjoe.sig                                                                                                  566,0   B  0,00B/s 00:00 [##################################################################################] 100%
erreur: microjoe: signature from "Romain Porte (Arch Repository Signing) <microjoe@microjoe.org>" is unknown trust
erreur: la mise à jour de microjoe a échoué (base de données invalide ou corrompue (signature PGP))
erreur: la base de données « microjoe » n’est pas valide (base de données invalide ou corrompue (signature PGP))

Some errors are in French because of my locale for the second part but the first line of error is plain english and is the root cause of the following messages.

I do not understand why my key would be unknown trust if I --lsigned it.

When using SigLevel = TrustAll in my pacman.conf the sync work but I do not want to use this hack and instead add my package signing public key to my trusted keyring on my machine.

Thanks for your help.

Last edited by MicroJoe (2017-09-27 20:34:25)

Allan · 2017-09-28 01:52:17

You need to trust the key as well as lsign it:

pacman-key --edit-key $key

Then type "trust" and "quit".

MicroJoe · 2017-09-29 19:49:16

This worked, thanks.

I am wondering why this page of the wiki does not mention this step: https://wiki.archlinux.org/index.php/Pa … icial_keys

Can I update it with this information? There is obviously a missing step at the end of the explanation of the wiki.

circleface · 2017-09-29 20:04:47

I think you only have to do that to your own keys. I have imported some keys in the past and never had to trust them.

Allan · 2017-09-29 21:53:52

circleface wrote:

I think you only have to do that to your own keys. I have imported some keys in the past and never had to trust them.

You probably imported developer key that are signed by thee distro master keys. The master keys are trusted (happens at install), so developer keys work via web of trust.

Scimmia · 2017-09-29 22:31:52

Keys signed by a key with Ultimate trust should be fully trusted. It works for me.

circleface · 2017-09-29 22:53:52

Allan wrote:

You probably imported developer key that are signed by thee distro master keys. The master keys are trusted (happens at install), so developer keys work via web of trust.

Thanks for that Allan. That was indeed the case.

Scimmia · 2017-09-29 23:03:19

I just tested it, lsign-key does the job.

# pacman-key --recv-keys 78884791A9CA8A156726CBA0C6A792822F203A39
gpg: key C6A792822F203A39: public key "Doug Newgard <dnewgard@outlook.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
==> Updating trust database...
gpg: next trustdb check due at 2017-10-20

# pacman-key --list-keys Doug
pub   rsa4096 2015-05-11 [SC]
      78884791A9CA8A156726CBA0C6A792822F203A39
uid           [ unknown] Doug Newgard <dnewgard@outlook.com>
uid           [ unknown] Doug Newgard <dnewgard@hotmail.com>
uid           [ unknown] Doug Newgard <scimmia@archlinux.info>
sub   rsa2048 2015-05-11 [E] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [S] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [A] [expires: 2018-05-01]

# pacman-key --lsign-key 78884791A9CA8A156726CBA0C6A792822F203A39
  -> Locally signing key 78884791A9CA8A156726CBA0C6A792822F203A39...
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   7  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   7  signed:  73  trust: 1-, 0q, 0n, 6m, 0f, 0u
gpg: depth: 2  valid:  72  signed:  10  trust: 72-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2017-10-20

# pacman-key --list-keys Doug
pub   rsa4096 2015-05-11 [SC]
      78884791A9CA8A156726CBA0C6A792822F203A39
uid           [  full  ] Doug Newgard <dnewgard@outlook.com>
uid           [  full  ] Doug Newgard <dnewgard@hotmail.com>
uid           [  full  ] Doug Newgard <scimmia@archlinux.info>
sub   rsa2048 2015-05-11 [E] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [S] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [A] [expires: 2018-05-01]

Allan · 2017-09-30 07:43:17

Can you install a package signed by that key?

Scimmia · 2017-09-30 11:57:38

I have in the past, don't have anything around right now to test with. Can try that later.

Arch Linux

#1 2017-09-27 20:31:14

pacman-key --lsign-key on my very own key does not trust it

#2 2017-09-28 01:52:17

Re: pacman-key --lsign-key on my very own key does not trust it

#3 2017-09-29 19:49:16

Re: pacman-key --lsign-key on my very own key does not trust it

#4 2017-09-29 20:04:47

Re: pacman-key --lsign-key on my very own key does not trust it

#5 2017-09-29 21:53:52

Re: pacman-key --lsign-key on my very own key does not trust it

#6 2017-09-29 22:31:52

Re: pacman-key --lsign-key on my very own key does not trust it

#7 2017-09-29 22:53:52

Re: pacman-key --lsign-key on my very own key does not trust it

#8 2017-09-29 23:03:19

Re: pacman-key --lsign-key on my very own key does not trust it

#9 2017-09-30 07:43:17

Re: pacman-key --lsign-key on my very own key does not trust it

#10 2017-09-30 11:57:38

Re: pacman-key --lsign-key on my very own key does not trust it

Board footer