You are not logged in.

#1 2018-08-03 01:35:54

eduncan911
Member
Registered: 2015-05-02
Posts: 93
Website

[SOLVED] ERROR: One or more PGP signatures could not be verified!

I'm trying to figure out if this is a problem with the package, PGP keyring, or the developer's signing key - and where to go from here.

$ makepkg -sri
...
==> Verifying source file signatures with gpg...
    xen-4.11.0.tar.gz ... FAILED (unknown public key 83FE14C957E82BD9)
==> ERROR: One or more PGP signatures could not be verified!

I rebuilt the Pacman Keyring via the wiki instructions.  Refreshed all keys again, etc.  Same error.

Attempting to import the key manually.

$ sudo pacman-key --recv-keys 83FE14C957E82BD9
gpg: key 83FE14C957E82BD9: 5 signatures not checked due to missing keys
gpg: key 83FE14C957E82BD9: "Xen.org Xen tree code signing (signatures on the xen hypervisor and tools) <pgp@xen.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
==> Updating trust database...
gpg: next trustdb check due at 2018-10-19

Maybe the 5 signatures not checked is a hint... I tried to sign it locally.

$ sudo pacman-key --lsign-key 83FE14C957E82BD9
  -> Locally signing key 83FE14C957E82BD9...
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: bad data signature from key 20E8A9C77716EB4F: Wrong key usage (0x19, 0x2)
gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: bad data signature from key 20E8A9C77716EB4F: Wrong key usage (0x19, 0x2)
gpg: depth: 1  valid:   6  signed:  81  trust: 1-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  72  signed:  13  trust: 72-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2018-10-19

Continuing down this rabbit hole, I checked 20E8A9C77716EB4F:

$ sudo pacman-key --finger 20E8A9C77716EB4F
gpg: bad data signature from key 20E8A9C77716EB4F: Wrong key usage (0x19, 0x2)
pub   rsa4096 2015-12-29 [SC]
      54EB 4D6D B209 862C 8945  CACC ED84 945B 35B2 555C
uid           [  full  ] Robin Broda <robin@broda.me>
uid           [  full  ] Robin Broda <rob@coderobe.net>
sub   rsa2048 2015-12-29 [E] [expires: 2023-12-27]
sub   rsa2048 2015-12-29 [SA] [expires: 2023-12-27]

This is a new bare-bones install of Arch with console only.  As a matter of fact, the only package to be installed is Xen besides openssh and a few system utils (Vim, reflector, etc).

Last edited by eduncan911 (2018-08-03 01:49:17)

Offline

#2 2018-08-03 01:43:15

Alad
Wiki Admin/IRC Op/TU
From: Bagelstan
Registered: 2014-05-04
Posts: 1,999
Website

Re: [SOLVED] ERROR: One or more PGP signatures could not be verified!

https://wiki.archlinux.org/index.php/Ma … e_checking

Note: The signature checking implemented in makepkg does not use pacman's keyring, instead relying on the user's keyring.[1]


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Honest Alad's Package Emporium—Now with added bugs! (Grand reopening: December 1st 2018)

Offline

#3 2018-08-03 01:48:50

eduncan911
Member
Registered: 2015-05-02
Posts: 93
Website

Re: [SOLVED] ERROR: One or more PGP signatures could not be verified!

Alad wrote:

https://wiki.archlinux.org/index.php/Ma … e_checking

Note: The signature checking implemented in makepkg does not use pacman's keyring, instead relying on the user's keyring.[1]

Doh.  That was it!

Funny, I've never ran across this issue before.  I've been away from Arch for a few years guess I'm rusty or something may have changed.

Thanks again!

Offline

#4 2018-08-03 01:54:40

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 22,268
Website

Re: [SOLVED] ERROR: One or more PGP signatures could not be verified!

eduncan911 wrote:

I've been away from Arch for a few years guess I'm rusty or something may have changed.

Signed AUR packages are not (yet) the norm.  I don't have a great sense of what portion of them have sigs, but it is far from the majority - and that's today.  A few years ago there may not have been any.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2018-08-03 02:39:07

eduncan911
Member
Registered: 2015-05-02
Posts: 93
Website

Re: [SOLVED] ERROR: One or more PGP signatures could not be verified!

Trilby wrote:
eduncan911 wrote:

I've been away from Arch for a few years guess I'm rusty or something may have changed.

Signed AUR packages are not (yet) the norm.  I don't have a great sense of what portion of them have sigs, but it is far from the majority - and that's today.  A few years ago there may not have been any.

Thank you very much for that!  Because I've been racking my brain about PGP signing packages as I've read about it long ago but never recall running into this kind of problem.

And in light of things, I very much agree to this approach.  It forces me to follow PGP's standard policies of:

* receive the keys from a known source, such as a PGP keyring
* give the chance to reach out to "trust" the person really uses that key
* locally sign the key

It's just that requires good knowledge of PGP.

However, it was my fault for skipping over the Configuration section of makepkg and going straight to how to install.  smile

Last edited by eduncan911 (2018-08-03 02:39:26)

Offline

#6 2018-08-03 04:12:43

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,313

Re: [SOLVED] ERROR: One or more PGP signatures could not be verified!

Only the first point in your list is necessary. The rest is taken care of by the maintainer and makepkg.

Offline

#7 2018-08-03 11:20:33

eduncan911
Member
Registered: 2015-05-02
Posts: 93
Website

Re: [SOLVED] ERROR: One or more PGP signatures could not be verified!

Scimmia wrote:

Only the first point in your list is necessary. The rest is taken care of by the maintainer and makepkg.

True... If you trust the maintainer and source. 

(Referencing the Malware found in the AUR recently, yet again)

Coming from Qubes OS on my laptop and setting up this gateway as a very secure system, I was a bit wary of installing anything from AUR in dom0.  But as it turns out, I have to to install Xen - as it's from the AUR!

I wonder why Xen hasn't been moved to mainline.

Offline

Board footer

Powered by FluxBB