You are not logged in.

#1 2017-09-27 20:31:14

MicroJoe
Member
From: France
Registered: 2012-06-10
Posts: 21
Website

pacman-key --lsign-key on my very own key does not trust it

Hello dear community,

I am getting in the exciting process of maintaining my own Archlinux repository for sharing packages with all my machines and maybe other people if everything goes well. With security in mind I have created a dedicated PGP key for signing my packages and Pacman database.

I have tried to import it in pacman using the following commands as described in the pacman/Package signing wiki page:

# pacman-key --add my_public_key.asc
# pacman-key --lsign-key microjoe@microjoe.org

However after these steps syncing the database will fail with the following:

 microjoe                                                                                                     1084,0   B  0,00B/s 00:00 [##################################################################################] 100%
 microjoe.sig                                                                                                  566,0   B  0,00B/s 00:00 [##################################################################################] 100%
erreur: microjoe: signature from "Romain Porte (Arch Repository Signing) <microjoe@microjoe.org>" is unknown trust
erreur: la mise à jour de microjoe a échoué (base de données invalide ou corrompue (signature PGP))
erreur: la base de données « microjoe » n’est pas valide (base de données invalide ou corrompue (signature PGP))

Some errors are in French because of my locale for the second part but the first line of error is plain english and is the root cause of the following messages.

I do not understand why my key would be unknown trust if I --lsigned it.

When using SigLevel = TrustAll in my pacman.conf the sync work but I do not want to use this hack and instead add my package signing public key to my trusted keyring on my machine.

Thanks for your help.

Last edited by MicroJoe (2017-09-27 20:34:25)

Offline

#2 2017-09-28 01:52:17

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: pacman-key --lsign-key on my very own key does not trust it

You need to trust the key as well as lsign it:

pacman-key --edit-key $key

Then type "trust" and "quit".

Online

#3 2017-09-29 19:49:16

MicroJoe
Member
From: France
Registered: 2012-06-10
Posts: 21
Website

Re: pacman-key --lsign-key on my very own key does not trust it

This worked, thanks.

I am wondering why this page of the wiki does not mention this step: https://wiki.archlinux.org/index.php/Pa … icial_keys

Can I update it with this information? There is obviously a missing step at the end of the explanation of the wiki.

Offline

#4 2017-09-29 20:04:47

circleface
Member
Registered: 2012-05-26
Posts: 639

Re: pacman-key --lsign-key on my very own key does not trust it

I think you only have to do that to your own keys.  I have imported some keys in the past and never had to trust them.

Offline

#5 2017-09-29 21:53:52

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: pacman-key --lsign-key on my very own key does not trust it

circleface wrote:

I think you only have to do that to your own keys.  I have imported some keys in the past and never had to trust them.

You probably imported developer key that are signed by thee distro master keys.  The master keys are trusted (happens at install), so developer keys work via web of trust.

Online

#6 2017-09-29 22:31:52

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: pacman-key --lsign-key on my very own key does not trust it

Keys signed by a key with Ultimate trust should be fully trusted. It works for me.

Offline

#7 2017-09-29 22:53:52

circleface
Member
Registered: 2012-05-26
Posts: 639

Re: pacman-key --lsign-key on my very own key does not trust it

Allan wrote:

You probably imported developer key that are signed by thee distro master keys.  The master keys are trusted (happens at install), so developer keys work via web of trust.

Thanks for that Allan.  That was indeed the case.

Offline

#8 2017-09-29 23:03:19

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: pacman-key --lsign-key on my very own key does not trust it

I just tested it, lsign-key does the job.

# pacman-key --recv-keys 78884791A9CA8A156726CBA0C6A792822F203A39
gpg: key C6A792822F203A39: public key "Doug Newgard <dnewgard@outlook.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
==> Updating trust database...
gpg: next trustdb check due at 2017-10-20

# pacman-key --list-keys Doug
pub   rsa4096 2015-05-11 [SC]
      78884791A9CA8A156726CBA0C6A792822F203A39
uid           [ unknown] Doug Newgard <dnewgard@outlook.com>
uid           [ unknown] Doug Newgard <dnewgard@hotmail.com>
uid           [ unknown] Doug Newgard <scimmia@archlinux.info>
sub   rsa2048 2015-05-11 [E] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [S] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [A] [expires: 2018-05-01]

# pacman-key --lsign-key 78884791A9CA8A156726CBA0C6A792822F203A39
  -> Locally signing key 78884791A9CA8A156726CBA0C6A792822F203A39...
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   7  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   7  signed:  73  trust: 1-, 0q, 0n, 6m, 0f, 0u
gpg: depth: 2  valid:  72  signed:  10  trust: 72-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2017-10-20

# pacman-key --list-keys Doug
pub   rsa4096 2015-05-11 [SC]
      78884791A9CA8A156726CBA0C6A792822F203A39
uid           [  full  ] Doug Newgard <dnewgard@outlook.com>
uid           [  full  ] Doug Newgard <dnewgard@hotmail.com>
uid           [  full  ] Doug Newgard <scimmia@archlinux.info>
sub   rsa2048 2015-05-11 [E] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [S] [expires: 2018-05-01]
sub   rsa2048 2015-05-11 [A] [expires: 2018-05-01]

Offline

#9 2017-09-30 07:43:17

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: pacman-key --lsign-key on my very own key does not trust it

Can you install a package signed by that key?

Online

#10 2017-09-30 11:57:38

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: pacman-key --lsign-key on my very own key does not trust it

I have in the past, don't have anything around right now to test with. Can try that later.

Offline

Board footer

Powered by FluxBB