You are not logged in.

#1 2020-03-23 21:01:43

cantBelieveItAintButter
Member
Registered: 2020-03-23
Posts: 5

signature from Anatol Pomopov is marginal - [SOLVED]

Folks,
I am having trouble doing a full update. The machine has been sitting powered off for about 3 years until Friday. I started it up and tried to update but the keys seem messed up. Can you help? The error "signature from "Anatol Pomozov <anatol.pomozov@gmail.com>" is marginal trust" is presented for 5 packages: expat, gc, lua52 and lua. All of them seem signed by the same keys - Anatol Pomozov.

Below is some (hopefully) relevant output:

[analyst@secOps ~]$ sudo pacman-key --list-sigs Master | full
bash: full: command not found
[analyst@secOps ~]$ sudo pacman-key --list-sigs Master | grep full
uid           [  full  ] Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
uid           [  full  ] Bartłomiej Piotrowski (Arch Linux Master Key) <bpiotrowski@master-key.archlinux.org>
uid           [  full  ] Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
uid           [  full  ] Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
[analyst@secOps ~]$ sudo pacman-key --list-sigs Master | grep revoked
pub   rsa3072 2011-11-19 [SC] [revoked: 2011-11-20]
uid           [ revoked] Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
pub   rsa3072 2011-11-29 [SC] [revoked: 2011-11-29]
uid           [ revoked] Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>
pub   rsa3072 2011-11-25 [SC] [revoked: 2011-11-25]
uid           [ revoked] Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
[analyst@secOps ~]$ sudo pacman-key --list-sigs pomozov
pub   rsa4096 2014-02-04 [SC] [expires: 2023-09-30]
      8E1992167465DB5FB045557CB02854ED753E0F1F
uid           [marginal] Anatol Pomozov <anatol.pomozov@gmail.com>
sig          3348882F6AC6A4C2 2014-02-19  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          5184252D824B18E8 2014-02-19  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig          7EFD567D4C7EA887 2015-02-07  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig          A04F9397CDFD6BB0 2015-02-09  Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>
sig          BA1DFB64FFF979E7 2014-02-20  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig 3        B02854ED753E0F1F 2018-01-08  Anatol Pomozov <anatol.pomozov@gmail.com>
sig          872E6714EAF5EC44 2014-04-09  [User ID not found]
sig          D6D055F927843F1C 2019-01-17  [User ID not found]
sig 3        B02854ED753E0F1F 2014-09-08  Anatol Pomozov <anatol.pomozov@gmail.com>
sig 3        B02854ED753E0F1F 2014-02-04  Anatol Pomozov <anatol.pomozov@gmail.com>
sig 3        B02854ED753E0F1F 2017-04-02  Anatol Pomozov <anatol.pomozov@gmail.com>
sig 3        B02854ED753E0F1F 2019-10-01  Anatol Pomozov <anatol.pomozov@gmail.com>
sub   rsa4096 2014-02-04 [E] [expires: 2023-09-30]
sig          B02854ED753E0F1F 2017-04-02  Anatol Pomozov <anatol.pomozov@gmail.com>
sig          B02854ED753E0F1F 2019-10-01  Anatol Pomozov <anatol.pomozov@gmail.com>
[analyst@secOps ~]$ sudo pacman -Q archlinux-keyring
archlinux-keyring 20180404-1

[analyst@secOps ~]# sudo pacman-key --list-sigs Master
pub   rsa2048 2018-03-20 [SC]
      7BCE0718D145B5DA14C1F56B35C680DC06F34DC2
uid           [ultimate] Pacman Keyring Master Key <pacman@localhost>
sig 3        35C680DC06F34DC2 2018-03-20  Pacman Keyring Master Key <pacman@localhost>

pub   rsa4096 2011-11-29 [SC]
      AB19265E5D7D20687D303246BA1DFB64FFF979E7
uid           [  full  ] Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig 3        BA1DFB64FFF979E7 2011-11-29  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig   L      35C680DC06F34DC2 2018-03-20  Pacman Keyring Master Key <pacman@localhost>
sig          3EC72E5826BD94C2 2012-02-05  [User ID not found]
rev          3EC72E5826BD94C2 2012-02-05  [User ID not found]
sig          1BB89C0602367449 2018-01-16  [User ID not found]
sig          F43D25535101A2C4 2019-06-23  [User ID not found]
sig 2     X  F43D25535101A2C4 2018-05-10  [User ID not found]
sig          F99FFE0FEAE999BD 2011-11-30  Allan McRae <me@allanmcrae.com>
sig          06096A6AD1CEDDAC 2011-11-30  Laurent Carlier <lordheavym@gmail.com>
sig          B773EB82DABACDA8 2013-08-16  [User ID not found]
sig          7ACFA647C5B3322D 2014-05-27  [User ID not found]
sig          C3918344475A229F 2015-09-23  [User ID not found]
sig          872E6714EAF5EC44 2014-04-09  [User ID not found]
sig          80394F9187983512 2016-11-14  [User ID not found]
sig          A9358D7DDD12F986 2012-02-29  [User ID not found]
sig          5F03C767C247A4D5 2017-08-17  [User ID not found]
sig 2   P    09B69B615AD10C8E 2015-12-01  [User ID not found]
sig 1   P    8508252F9B301536 2017-03-23  [User ID not found]

pub   rsa4096 2017-05-15 [SC]
      DDB867B92AA789C165EEFA799B729B06A680C281
uid           [  full  ] Bartłomiej Piotrowski (Arch Linux Master Key) <bpiotrowski@master-key.archlinux.org>
sig 3        9B729B06A680C281 2017-05-15  Bartłomiej Piotrowski (Arch Linux Master Key) <bpiotrowski@master-key.archlinux.org>
sig   L      35C680DC06F34DC2 2018-03-20  Pacman Keyring Master Key <pacman@localhost>
sig          B6002D906D137D09 2017-09-03  [User ID not found]
sig          BBE43771487328A9 2017-05-15  Bartlomiej Piotrowski <b@bpiotrowski.pl>
sig        2 5F03C767C247A4D5 2017-08-17  [User ID not found]
sub   rsa4096 2017-05-15 [E]
sig          9B729B06A680C281 2017-05-15  Bartłomiej Piotrowski (Arch Linux Master Key) <bpiotrowski@master-key.archlinux.org>
sig          1BB89C0602367449 2018-01-16  [User ID not found]
sig          F43D25535101A2C4 2019-06-23  [User ID not found]
sig 2     X  F43D25535101A2C4 2018-05-10  [User ID not found]
sig 1   P  2 AA14E96200F5E006 2017-09-14  [User ID not found]

pub   rsa4096 2015-12-17 [SC]
      91FFE0700E80619CEB73235CA88E23E377514E00
uid           [  full  ] Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig 3        A88E23E377514E00 2015-12-17  Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig   L      35C680DC06F34DC2 2018-03-20  Pacman Keyring Master Key <pacman@localhost>
sig          80394F9187983512 2016-11-14  [User ID not found]
sig          6D1655C14CE1C13E 2015-12-17  Florian Pritz <bluewind@xinu.at>
sig        2 5F03C767C247A4D5 2017-08-17  [User ID not found]
sig 1   P    8508252F9B301536 2017-03-23  [User ID not found]
sub   rsa4096 2015-12-17 [E]
sig          A88E23E377514E00 2015-12-17  Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig          1BB89C0602367449 2018-01-16  [User ID not found]
sig          F43D25535101A2C4 2019-06-23  [User ID not found]
sig 2     X  F43D25535101A2C4 2018-05-10  [User ID not found]
sig 1   P  2 AA14E96200F5E006 2017-09-14  [User ID not found]

pub   rsa3072 2011-11-18 [SC]
      0E8B644079F599DFC1DDC3973348882F6AC6A4C2
uid           [  full  ] Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig 3        3348882F6AC6A4C2 2011-11-18  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig   L      35C680DC06F34DC2 2018-03-20  Pacman Keyring Master Key <pacman@localhost>
sig          7F2D434B9741E8AC 2011-11-18  Pierre Schmitz <pierre@archlinux.de>
sig          7ACFA647C5B3322D 2014-05-27  [User ID not found]
sig          D6FD943CD29A17BE 2019-05-13  [User ID not found]
sig 1        5E091391A98EBD4E 2019-10-22  [User ID not found]
sig          872E6714EAF5EC44 2014-04-09  [User ID not found]
sig          80394F9187983512 2016-11-14  [User ID not found]
sig          A9358D7DDD12F986 2012-02-29  [User ID not found]
sig 3        AD94BA169DBB5BF2 2016-10-12  [User ID not found]
sig        2 5F03C767C247A4D5 2017-08-17  [User ID not found]
sig 1   P    8508252F9B301536 2017-03-23  [User ID not found]
sub   rsa1024 2011-11-18 [E]
sig          3348882F6AC6A4C2 2011-11-18  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sub   rsa3072 2011-11-18 [A]
sig          3348882F6AC6A4C2 2011-11-18  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          1BB89C0602367449 2018-01-16  [User ID not found]
sig          F43D25535101A2C4 2019-06-23  [User ID not found]
sig 2     X  F43D25535101A2C4 2018-05-10  [User ID not found]
sig 1   P  2 AA14E96200F5E006 2017-09-14  [User ID not found]

pub   rsa3072 2011-11-19 [SC] [revoked: 2011-11-20]
      684148BB25B49E986A4944C55184252D824B18E8
rev          5184252D824B18E8 2011-11-20  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
uid           [ revoked] Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig 3        5184252D824B18E8 2011-11-19  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig   L      35C680DC06F34DC2 2020-03-20  Pacman Keyring Master Key <pacman@localhost>
sig          7ACFA647C5B3322D 2014-05-27  [User ID not found]
sig          284FC34C8E4B1A25 2011-11-19  Thomas Bächler <thomas@bchlr.de>
sig          872E6714EAF5EC44 2014-04-09  [User ID not found]
sig          80394F9187983512 2016-11-14  [User ID not found]
sig          A9358D7DDD12F986 2012-02-29  [User ID not found]
sig 1   P    8508252F9B301536 2017-03-23  [User ID not found]

pub   rsa3072 2011-11-29 [SC] [revoked: 2011-11-29]
      27FFC4769E19F096D41D9265A04F9397CDFD6BB0
rev          A04F9397CDFD6BB0 2011-11-29  Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>
uid           [ revoked] Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>
sig 3        A04F9397CDFD6BB0 2011-11-29  Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>
sig          5C2E46A0F53A76ED 2011-11-29  Dan McGee <dpmcgee@gmail.com>
sig          06096A6AD1CEDDAC 2011-11-30  Laurent Carlier <lordheavym@gmail.com>
sig          7ACFA647C5B3322D 2014-05-27  [User ID not found]
sig          872E6714EAF5EC44 2014-04-09  [User ID not found]
sig          80394F9187983512 2016-11-14  [User ID not found]
sig          A9358D7DDD12F986 2012-02-29  [User ID not found]
sig 2   P    09B69B615AD10C8E 2015-12-01  [User ID not found]

pub   rsa3072 2011-11-25 [SC] [revoked: 2011-11-25]
      44D4A033AC140143927397D47EFD567D4C7EA887
rev          7EFD567D4C7EA887 2011-11-25  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
uid           [ revoked] Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig 3        7EFD567D4C7EA887 2011-11-25  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig          E8F18BA1615137BC 2011-11-25  Ionut Biru <ibiru@archlinux.org>
sig          872E6714EAF5EC44 2014-04-09  [User ID not found]
sig          80394F9187983512 2016-11-14  [User ID not found]
sig          A9358D7DDD12F986 2012-02-29  [User ID not found]
sig        2 5F03C767C247A4D5 2017-08-17  [User ID not found]
sig 1   P    8508252F9B301536 2017-03-23  [User ID not found]
sig 1   P  2 AA14E96200F5E006 2017-09-14  [User ID not found]

Any help is much appreaciated!

Last edited by cantBelieveItAintButter (2020-03-26 14:25:48)

Offline

#2 2020-03-23 21:59:01

Allan
Member
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,925
Website

Re: signature from Anatol Pomopov is marginal - [SOLVED]

pacman -Sy archlinux-keyring; pacman -Su

But....  you are probably best to use the arch linux archive and update a few months at a time, paying attention to the new posts made then.

Offline

#3 2020-03-23 22:36:26

cantBelieveItAintButter
Member
Registered: 2020-03-23
Posts: 5

Re: signature from Anatol Pomopov is marginal - [SOLVED]

Thanks for responding, Allan.

But....  you are probably best to use the arch linux archive and update a few months at a time, paying attention to the new posts made then.

I did just that. Found some leads and tried them all but still no success.
A few conclusions so far:
1. keyring is installed and at version 20180404-1. (based on the output of pacman -Q archlinux-keyring).
2. Based on pacman-key --list sigs, Anatol Pomopov's key seem to depend on a REVOKED master key labeled Ionut Biru.
3. All packages are signed with Anatol's key(s).
4. Anatol's key are indeed marked as Marginal.

I've tried refreshing, initializing and populating the keys with no success (pacman-key --refresh-keys, pacman-key --init, pacman-key --populate archlinux).

Offline

#4 2020-03-24 00:04:47

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,134

Re: signature from Anatol Pomopov is marginal - [SOLVED]

His key is signed by Pierre, Allan, Ionut, Dan, and Thomas, and only the first two are still valid master keys. You would not have this problem, though, if you had NOT refreshed the keys. Because Thomas's master key only recently got revoked, so if you haven't updated in 3 years your keyring "should" think that master key is still valid.

The solution is as Allan said, to refresh your keyring by installing the latest archlinux-keyring package. This will let you acquire the "Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>" master key which was cycled in at the turn of 2018-2019 and verified in recent archlinux-keyring packages.

This would get Anatol's signing key back up to the required 3 signatures.

...

You can, of course, do incremental Arch Linux Archive snapshot upgrades, independently of fixing your keyring issues. But you will regardless need to either reset your keyring to pretend that Thomas's key is still valid (and then not refresh it), or upgrade to the 2020 version of archlinux-keyring.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2020-03-24 14:22:10

cantBelieveItAintButter
Member
Registered: 2020-03-23
Posts: 5

Re: signature from Anatol Pomopov is marginal - [SOLVED]

Thanks @eswwartz! These responses help a lot because while I've been using Arch for about 10 years now, I never needed to dive into package signing until now. I am learning a lot!

About the problem:
>>> You would not have this problem, though, if you had NOT refreshed the keys.
If I could go back in time, how should I have done this? The reason I ask is because I actually can go back in time. Kinda... This Arch installation is a VM which can easily be redeployed from the OVA. I could start fresh and fix the problem via easy way.
On a side note, I've tried to update pacman -Syu before refreshing the keys; that's when I ran into the issue.

>>> The solution is as Allan said, to refresh your keyring by installing the latest archlinux-keyring package.
Is it correct to assume this would have been the easiest route? I will give it a go as my next attempt. I will re-deploy the VM and try updating the keyring first, before running a full update.

...

>>>You can, of course, do incremental Arch Linux Archive snapshot upgrades, independently of fixing your keyring issues. But you will regardless need to either reset your keyring to pretend that Thomas's key is still valid (and then not refresh it), or upgrade to the 2020 version of archlinux-keyring.
Okie-dokie. Let me see what updating the archlinux keyring yields first. I will look into incremental updates, if that fails.

P.S. You forum guys are rockstars!

Offline

#6 2020-03-24 15:30:24

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,134

Re: signature from Anatol Pomopov is marginal - [SOLVED]

Yes, the easiest route is to update the keyring if possible. It's a fully standalone collection of data files, with the sole purpose of providing an offline-installable chain of signing trust.

But, if you're using a VM from some hosting provider which you can redeploy to get back into the same state, then it sounds like they are offering a frozen-in-time copy of archlinux that is years-old and isn't being promptly updated. wink

In which case, you might run into this issue (see the bottom for workarounds, note my signing key was only added to the keyring in early 2018 but you can check its signature locally then scp the binary to your cloud VM): https://www.archlinux.org/news/now-usin … mpression/


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#7 2020-03-24 21:36:49

cantBelieveItAintButter
Member
Registered: 2020-03-23
Posts: 5

Re: signature from Anatol Pomopov is marginal - [SOLVED]

Success!!
Your alternate pacman binary (pacman-static) did the tricks. I use it in the plural because it solved the key problem and the .ZST packaging in one go.

Full run of the solution:
1. I re-deployed the VM and tried to install archlinux-keyring (pacman -S archlinux-keyring) but the process failed; as you anticipated, my system's old pacman couldn't handle .ZSTs.
2. After grabbing your alternate pacman binary, I was able to install the updated archlinux-keyring with pacman-static -S archlinux-keyring.
3. Now that I had the updated keyring (and the keys goodness), I tried using my system's old pacman to do a full update (pacman -Syu) but had no success; pacman was cool with all the keys but, since it was still in the old version, had no clue about all the ZSTs.
4. Once again I ran your alternate pacman binary to do a full system update (pacman-static -Syu). It went through without a glitch!
5. Just to be safe, I re-ran a pacman -Syu. All good.
6. The system is now up-to-date. Yay!

Thanks again!

P.S. Are you THE Eli Shwartz? Super cool to be helped by one of Arch's wizards... smile

Offline

#8 2020-03-24 21:58:44

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,134

Re: signature from Anatol Pomopov is marginal - [SOLVED]

Great, happy to help. smile

And yes, I am that Eli, as indicated by my forum title to the left of the posts. Forum titles cannot be set by users, you need to ask the admins.

As a general rule of thumb, anyone with a title other than "member" is verified to somehow be affiliated with Arch, e.g. I am a "Trusted User/Bug Wrangler", other people might be forum fellows (retired moderators), developers, etc.
IIRC there are a handful of regular community members with custom titles that they received on (I suppose) special request as a consideration of some sort (e.g. "Arch Linux f@h Team Member"), but you'll be able to tell due to the meaning of that title that it doesn't designate a staff role.

(And then there is Allan, who is in disguise as a "Member". Shhhhhh!)

Last edited by eschwartz (2020-03-24 21:59:34)


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#9 2020-03-25 19:47:52

cantBelieveItAintButter
Member
Registered: 2020-03-23
Posts: 5

Re: signature from Anatol Pomopov is marginal - [SOLVED]

>>>And yes, I am that Eli,
Very cool, man. Very cool.

>>>And then there is Allan, who is in disguise as a "Member". Shhhhhh!
That's pretty awesome too! You guys are awesome for donating time to maintain this great OS. Tip of the hat to you guys!

Thanks again, I am flagging this thread as SOLVED.

Offline

#10 2020-03-25 19:55:20

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 3,134

Re: signature from Anatol Pomopov is marginal - [SOLVED]

You can mark the thread as solved by editing the first post and prepending the text "[Solved]" to the thread title field. smile


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB