You are not logged in.

#1 2018-01-09 01:57:58

qkrruddnjs12
Member
Registered: 2018-01-09
Posts: 2

[SOLVED] Can I trust this PGP key?

Today I tried to do update with

sudo pacman -Syu

then is says...

Packages (6) argon2-20171227-3  blender-17:2.79-9  jansson-2.10-3  krita-3.3.3-1  mpfi-1.5.2-1  pari-2.9.4-1

Total Installed Size:  361.00 MiB
Net Upgrade Size:       -1.24 MiB

:: Proceed with installation? [Y/n] y
(6/6) checking keys in keyring                                                                     [##########################################################] 100%
downloading required keys...
:: Import PGP key 4096R/BD27B07A5EF45C2ADAF70E0484818A6819AF4A9B, "Eli Schwartz <eschwartz93@gmail.com>", created: 2016-05-04? [Y/n] 

Would it be okay to press Y in here?

How do I find out which PGP key can be trusted and which are not?

Last edited by qkrruddnjs12 (2018-01-09 02:37:41)

Offline

#2 2018-01-09 02:11:58

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: [SOLVED] Can I trust this PGP key?

I'm telling you that that key can be trusted. big_smile

But seriously, this happens every time a new Trusted User is added.

Importing a PGP key does not designate it as a "trusted" key, the fact that that key has been signed by three or more of the Arch Linux Master Keys to form a PGP web of trust is what designates it as trusted.

Your other option is to first install the new archlinux-keyring package from the testing repository.

P.S. The forums do not accept arbitrary HTML, so instead you should use BBCode and specifically:

[code]This is some code.[/code]

Last edited by eschwartz (2018-01-09 02:14:06)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#3 2018-01-09 02:15:04

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: [SOLVED] Can I trust this PGP key?

https://wiki.archlinux.org/index.php/Pa … g_PGP_keys

https://www.archlinux.org/master-keys/

Also see https://bbs.archlinux.org/help.php#bbcode

(edit: too slow on all counts.  But really would you trust eschwartz answering you that eschwartz could be trusted?! tongue)

Last edited by Trilby (2018-01-09 02:16:12)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2018-01-09 02:26:50

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: [SOLVED] Can I trust this PGP key?

Trilby wrote:

(edit: too slow on all counts.  But really would you trust eschwartz answering you that eschwartz could be trusted?! tongue)

It certainly makes my life easier...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2018-01-09 02:31:41

qkrruddnjs12
Member
Registered: 2018-01-09
Posts: 2

Re: [SOLVED] Can I trust this PGP key?

Thanks you for replies!

I'll make sure to use BBCode next time

Offline

#6 2018-01-09 02:37:15

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: [SOLVED] Can I trust this PGP key?

Don't forget to mark this thread as solved as directed in the code of conduct.


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#7 2018-01-09 04:34:34

c00ter
Member
From: Alaskan in Washington State
Registered: 2014-08-28
Posts: 386

Re: [SOLVED] Can I trust this PGP key?

Related?: https://bbs.archlinux.org/viewtopic.php … 3#p1759903

Eschwartz wrote:
Trilby wrote:

(edit: too slow on all counts.  But really would you trust eschwartz answering you that eschwartz could be trusted?! tongue)

It certainly makes my life easier...

As long as you stay on IRC, apparently. wink

Last edited by c00ter (2018-01-09 04:38:16)


UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn

Offline

#8 2018-01-27 04:49:46

DavidEGrayson
Member
Registered: 2012-12-11
Posts: 10

Re: [SOLVED] Can I trust this PGP key?

Hello, Eli Schwartz.  I am having trouble with your key having marginal trust:

error: opendkim: signature from "Eli Schwartz <eschwartz@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/opendkim-2.10.3-5-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

I also get the same error message when trying to install dovecot-2.3.0-2-x86_64.pkg.tar.xz.

What's going on?  I tried to enable the 'testing' repository but and the latest version of the archlinux-keyring package I can install is 20180108-1.  What version has your keys in it?

Here is a shell session (with the testing repo disabled) showing how I updated archlinux-keyring but I still have errors checking your signature on the opendkim package:

https://gist.github.com/DavidEGrayson/4 … 82aaca6f7f

So what commands am I supposed to run to get your key trusted?  Thanks!

--David

Last edited by DavidEGrayson (2018-01-27 04:54:27)

Offline

#9 2018-01-27 04:54:04

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,461

Re: [SOLVED] Can I trust this PGP key?

Marginal trust has nothing to do with this thread. Read https://bbs.archlinux.org/viewtopic.php?id=233480 and https://bbs.archlinux.org/viewtopic.php?id=233710, then start your own thread if you can't figure it out.

Offline

#10 2018-01-27 04:54:59

headkase
Member
Registered: 2011-12-06
Posts: 1,975

Re: [SOLVED] Can I trust this PGP key?

DavidEGrayson wrote:

Hello, Eli Schwartz.  I am having trouble with your key having marginal trust when checking the signature:

error: opendkim: signature from "Eli Schwartz <eschwartz@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/opendkim-2.10.3-5-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

What's going on?  I tried to enable the 'testing' repository but and the latest version of the archlinux-keyring package I can install is 20180108-1.  What version has your keys in it?

Here is a shell session (with the testing repo disabled) showing how I updated archlinux-keyring but I still have errors checking your signature on the opendkim package:

https://gist.github.com/DavidEGrayson/4 … 82aaca6f7f

So what commands am I supposed to run to get your key trusted?

--David

You should delete the cached package in /var first in case the download was actually corrupted.  After that try to update again which will redownload the package.  If that fails then continue other steps.

Offline

#11 2018-01-27 04:56:57

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,461

Re: [SOLVED] Can I trust this PGP key?

headkase wrote:

You should delete the cached package in /var first in case the download was actually corrupted.  After that try to update again which will redownload the package.  If that fails then continue other steps.

No. Read the actual error, it has nothing to do with the download.

Offline

#12 2018-01-27 04:58:05

headkase
Member
Registered: 2011-12-06
Posts: 1,975

Re: [SOLVED] Can I trust this PGP key?

Scimmia wrote:
headkase wrote:

You should delete the cached package in /var first in case the download was actually corrupted.  After that try to update again which will redownload the package.  If that fails then continue other steps.

No. Read the actual error, it has nothing to do with the download.

I defer to an actual bug wrangler.

Offline

#13 2018-01-27 05:00:57

DavidEGrayson
Member
Registered: 2012-12-11
Posts: 10

Re: [SOLVED] Can I trust this PGP key?

Wow, thanks for the fast response!  The two commands posted here by zpg443 in the thread you linked to did the trick for me:  https://bbs.archlinux.org/viewtopic.php … 6#p1760826

--David

Offline

Board footer

Powered by FluxBB