You are not logged in.
- Topics: Active | Unanswered
#1 2019-07-04 02:14:15
- jakbyte
- Member
- From: United States
- Registered: 2019-07-04
- Posts: 2
[Solved] tor-browser PGP sig can't be verified; gpg says it's too big
When I build tor-browser, everything runs just fine, but it finishes with:
==> Verifying source file signatures with gpg...
tor-browser-linux64-8.5.3_en-US.tar.xz ... FAILED (unknown public key EB774491D9FF06E2)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Makepkg was unable to build tor-browser.So I run:
gpg --recv-keys EB774491D9FF06E2But that outputs:
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 100310 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: error writing keyring '/home/jakbyte/.gnupg/pubring.kbx': Provided object is too large
gpg: key 4E2C6E8793298290: public key "[User ID not found]" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: not imported: 1Does anyone know a fix? I've searched a bit, but to no specific answer.
(Also, does this belong in AUR Issues?)
Last edited by jakbyte (2019-07-04 12:56:24)
Offline
#2 2019-07-04 02:41:15
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,326
Re: [Solved] tor-browser PGP sig can't be verified; gpg says it's too big
See https://bbs.archlinux.org/viewtopic.php?id=247406
Edit:
diff of PKGBUILD for gnupg (adds three patches that should allow the importing of a poisoned key)
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
index c023c41..3e506d9 100644
--- a/trunk/PKGBUILD
+++ b/trunk/PKGBUILD
@@ -21,14 +21,23 @@ validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6'
'46CC730865BB5C78EBABADCF04376F3EE0856959'
'031EC2536E580D8EA286A9F22071B08A33BD3F06'
'5B80C5754298F0CB55D8ED6ABCEF7E294B092E28')
-source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig})
+source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
+ "https://github.com/gpg/gnupg/commit/15a425a1dfe60bd976b17671aa8e3d9aed12e1c0.patch"
+ "https://github.com/gpg/gnupg/commit/adb120e663fc5e78f714976c6e42ae233c1990b0.patch"
+ "https://github.com/gpg/gnupg/commit/a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800.patch")
sha256sums=('6cbe8d454bf5dc204621eed3016d721b66298fa95363395bb8eeceb1d2fd14cb'
- 'SKIP')
+ 'SKIP'
+ 'cf6950719510d354cf161d69c92db30971a1f71b23ead392e35302c801692ddd'
+ 'b4ed15161c2d75b760f1cb9ea82eba258fa456b2307ed99003e9410b39a8d86e'
+ '14ef75e124434fe52d137ad98b260692787a0f2edb9d4304eb27ee663ca88482')
install=install
prepare() {
cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p1 -i ../15a425a1dfe60bd976b17671aa8e3d9aed12e1c0.patch
+ patch -p1 -i ../adb120e663fc5e78f714976c6e42ae233c1990b0.patch
+ patch -p1 -i ../a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800.patch
sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in
}
To delete the key if it is stuck in a broken state
gpg --delete-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290To clean the key
gpg --batch --quiet --edit-key EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 clean save quitEdit:
You could also ask the tor-browser package maintainer to add a warning that the key has been poisoned.
Last edited by loqs (2019-07-04 11:50:53)
Offline
#3 2019-07-04 12:54:38
- jakbyte
- Member
- From: United States
- Registered: 2019-07-04
- Posts: 2
Re: [Solved] tor-browser PGP sig can't be verified; gpg says it's too big
The maintainer has actually already acknowledged this and pinned a solution at https://aur.archlinux.org/packages/tor-browser/
Before running makepkg, you must do this (as normal user):
$ gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290
Thanks anyways! 
Offline
#4 2019-07-04 13:40:26
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,326
Re: [Solved] tor-browser PGP sig can't be verified; gpg says it's too big
That pinned comment is from nine months before the key was poisoned.
Did using that command work for you?
Edit:
$ gpg --no-default-keyring --keyring /tmp/broken.gpg --keyserver hkp://pgp.mit.edu:11371 --recv-keys 0x4E2C6E8793298290
gpg: keybox '/tmp/broken.gpg' created
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 21292 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
$ ls -lah /tmp/broken.gpg
-rw-r--r-- 1 test test 3.6M Jul 4 14:46 broken.gpg
$ rm /tmp/broken.gpg*
gpg --no-default-keyring --keyring /tmp/broken.gpg --recv-keys 0x4E2C6E8793298290
gpg: keybox '/tmp/broken_key.gpg' created
gpg: key 4E2C6E8793298290: 2 duplicate signatures removed
gpg: key 4E2C6E8793298290: 100310 signatures not checked due to missing keys
gpg: key 4E2C6E8793298290: 2 signatures reordered
gpg: error writing keyring '/tmp/broken_key.gpg': Provided object is too large
gpg: key 4E2C6E8793298290: keyblock too large, retrying with self-sigs-only
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ ls -lah /tmp/broken.gpg
-rw-r--r-- 1 test test 11K Jul 4 14:48 /tmp/broken_key.gpgYour method leaves 20000 signatures uncleaned and relies upon pgp.mit.edu never increasing that number to the 100000 the SKS server pool members have and provides no defense on the client.
Last edited by loqs (2019-07-04 15:00:18)
Offline