You are not logged in.

#1 2020-01-06 06:33:34

vatedow
Member
Registered: 2020-01-06
Posts: 2

Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

I'm hitting a few roadblocks while trying to rollback php from 7.4 to 7.3 because nextcloud.
In bash

$ for pkg in "" "-fpm" "-gd" "-intl"; do sudo pacman -U https://archive.archlinux.org/packages/p/php"$pkg"/php"$pkg"-7.3.12-1-x86_64.pkg.tar.xz; done
$ sudo pacman -U https://archive.archlinux.org/packages/p/php-apcu/php-apcu-5.1.18-1-x86_64.pkg.tar.xz

Gives me pgp errors.

:: Import PGP key 7F2D434B9741E8AC, "Pierre Schmitz <pierre@archlinux.de>"? [Y/n] Y
error: key "7F2D434B9741E8AC" could not be looked up remotely
error: required key missing from keyring
error: '/var/cache/pacman/pkg/php-7.3.12-1-x86_64.pkg.tar.xz': unexpected error

Trying to install 7.3 from aur gives me an issue with pgp keys

php-7.3.13.tar.xz ... FAILED (unknown public key D66C9593118BCCB6)

And everything I've attempted with gpg and pacman-key gives me a "can't find server" error.

All I want to do is rollback because waiting for nextcloud 18 is starting to feel like waiting for the next Kojima title.

It's probably something simple I've missed or overlooked but a key error like this has me concerned of a potential bigger issue.

Offline

#2 2020-01-06 14:03:06

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

Update the arch-keyring first https://wiki.archlinux.org/index.php/Pa … ge_signing

You can add php to 'IgnorePkg' in pacman.conf, though due to the rolling nature of Arch this is far from ideal of course and you may miss out on some critical/security patches.

You could also upgrade to Nextcloud18(github) which has support for php7.4 - you're on your own, or there may already be an aur package, anyway good luck.

Personally I use Debian for my server and I still must take notice to not dist-upgrade to soon since I use 'sury.org' I had that with the current version and had to change(downgrade) the version to 7.3;)

edit: and welcome to Arch;)

Last edited by qinohe (2020-01-06 14:12:20)

Offline

#3 2020-01-07 05:53:26

vatedow
Member
Registered: 2020-01-06
Posts: 2

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

Thanks for the advice.
Trying `pacman-key --refresh-keys` yields

gpg: refreshing 5 keys from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No such file or directory
==> ERROR: A specified local key could not be updated from a keyserver.

Not sure what to do about that. I'll settle for `IgnorePkg` in the conf file.

Thanks for the assistance.

Offline

#4 2020-01-07 15:34:04

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

Have you tried a different keyserver?
I use

hkp://ipv4.pool.sks-keyservers.net:11371

which is the same as you though, not the secure one and ipv4 only! it has never let me down.

You are aware of the downside using 'IgnorePkg'!? Get an account on the mailing list https://lists.archlinux.org/listinfo/arch-security
That's what I would at least to keep track of security issues for the packages you use

Offline

#5 2020-01-08 04:49:12

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

Keyservers can be unpredictable and unpredictably terrible. I don't use the sks-keyservers.net subdomains at all, since that's a DNS round robin, i.e. explicitly designed to resolve as the IP addresses of random other keyservers for the sake of fault tolerance and distributing the load. Unfortunately, not all of those servers work, and some of them are super slow.

Compare this a bit to how Arch uses a mirrorlist for the official repositories, but users can tune their mirrors. (In comparison some other distros, Debian for example, use a CDN with one url that redirects to the best mirror for your geographic location. Their CDN is a bit more reliable than SKS, though.)

Personally, I use keyserver.ubuntu.com as I've always found it very reliable. You can find the key you want here: https://keyserver.ubuntu.com/pks/lookup … n&op=index

Hint: where it says "pub rsa4096/cbaf69f173a0fea4b537f470d66c9593118bccb6 2018-06-05T21:57:22Z", you can click on the link and get the "-----BEGIN PGP PUBLIC KEY BLOCK-----" ascii-armored key file, which you can import with gpg --import. But --keyserver should work fine too.

...

Also, you should definitely have Pierre's key in your keyring, this is super weird that pacman wants to import it before you can use pacman -U.

Does "pacman-key -l 7F2D434B9741E8AC" really not list the key? Are you missing other archlinux-keyring keys from https://www.archlinux.org/master-keys/ ?


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#6 2020-01-08 10:51:56

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

Also, you should definitely have Pierre's key in your keyring, this is super weird that pacman wants to import it before you can use pacman -U.

Maybe sudo pacman -U foo looks at the keyring of the user running sudo , not the root keyring ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#7 2020-01-08 12:40:35

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,933
Website

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

It may also be possible that the maintainer updated the PGP key in the meantime and that the old package is signed with an older key that is no longer trusted by the up-to-date pacman keyring.

Last edited by schard (2020-01-08 12:40:56)

Offline

#8 2020-01-08 13:22:39

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: Attempting rollback of php 7.4 > 7.3 but key errors are stopping me

Lone_Wolf wrote:

Also, you should definitely have Pierre's key in your keyring, this is super weird that pacman wants to import it before you can use pacman -U.

Maybe sudo pacman -U foo looks at the keyring of the user running sudo , not the root keyring ?

That would be a ludicrous design, for pacman to a) default to the same keyring used for non-packaging tasks, and b) to explicitly contain code that checks if SUDO_USER / SUDO_UID is set, then uses that to reset the USER variable and recalculate HOME based on the manually twiddled USER.

You literally cannot break pacman like that without trying very hard in a very non-accidental way within pacman's source code. sudo is *designed* by definition to not allow this to occur without explicit code to recognize sudo and walk back its effects, precisely because of how bad it is to run as root with random stuff from your non-root invoking session mixed in.

We *know* that pacman doesn't contain this absolutely critical vulnerability, because if it did, no one would ever be able to update their system with "sudo pacman -Syu"  because I very much doubt every single archlinux user ever, has the pacman master keys as well as all packaging keys preinstalled in their *user* keyring, and marked as *trusted*. Most archlinux users probably don't even use pgp in the first place, within their user session.

And the fact that pacman-key exists explicitly to operate gpg commands while respecting /etc/pacman.conf's "GpgDir" setting puts the nail in the coffin of that line of thought. pacman doesn't use the root keyring either.

schard wrote:

It may also be possible that the maintainer updated the PGP key in the meantime and that the old package is signed with an older key that is no longer trusted by the up-to-date pacman keyring.

Well, no.

It's asking:

:: Import PGP key 7F2D434B9741E8AC, "Pierre Schmitz <pierre@archlinux.de>"? [Y/n] Y
error: key "7F2D434B9741E8AC" could not be looked up remotely

That key is the one which should be currently in the keyring, and reinstalling "archlinux-keyring" should usually guarantee it is in the keyring if the keyring got accidentally wiped somehow.

... Also, the key was created in 2011, and has the following master key signatures:

sig          3348882F6AC6A4C2 2011-11-18  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          5184252D824B18E8 2011-11-19  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig          BA1DFB64FFF979E7 2011-12-05  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig          A88E23E377514E00 2015-12-23  Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig          9B729B06A680C281 2017-07-13  Bartłomiej Piotrowski (Arch Linux Master Key) <bpiotrowski@master-key.archlinux.org>
sig          D6D055F927843F1C 2019-09-29  Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>

Also mostly from 2011. It's been used as a packaging key for a very long time.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB