You are not logged in.
Hello guys. I previously posted under subject
building in chroot ==> ERROR: The key does not exist in your keyring
However, I make mistake. It have not to do with chroot. Too much confusion so I post again with clear subject. Hope that OK. Sorry for my mistake.
JZGEUTCPDW5SHN3X is my package signing key. Since problem start I perform these steps three times but not resolve my issue.
sudo rm -R /etc/pacman.d/gnupg/
sudo rm -R /root/.gnupg/
gpg --refresh-keys
sudo pacman-key --init && sudo pacman-key --populate archlinux
sudo pacman-key -a ~/.ssh/my_pkg_key.pub
sudo pacman-key --lsign-key JZGEUTCPDW5SHN3X
sudo pacman-key --finger JZGEUTCPDW5SHN3X
As I troubleshooot I also experiment with permissions and these commands:
sudo chmod 600 /etc/pacman.d/gnupg
gpg --refresh-keys
sudo pacman -Sy archlinux-keyring && pacman -Syyu
reboot
Issue not those permissions. I also try putting my secret key to /etc/pacman.d/gnupg keyring. None of these steps fix my problem.
First I thought it related to chroot because `pacman -Syu` with Arch packages has no problem. Then I try building one of my package outside the chroot and I find the following (and I make it print key details for debugging):
$ makepkg -f
sec rsa3072 2020-10-15 [SC]
2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid [ultimate] Moscow Hunt <mh@gmail.com>
ssb rsa3072 2020-10-15 [E]
==> Making package: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:08 AM EST)
==> Checking runtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Checking buildtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Retrieving sources...
-> Updating foo git repo...
Fetching origin
==> Validating source files with sha256sums...
foo ... Skipped
==> Extracting sources...
-> Creating working copy of foo git repo...
Reset branch 'makepkg'
==> Removing existing $pkgdir/ directory...
==> Entering fakeroot environment...
sec rsa3072 2020-10-15 [SC]
2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid [ultimate] Moscow Hunt <mh@gmail.com>
ssb rsa3072 2020-10-15 [E]
==> Starting package()...
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "foo"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
-> Adding install file...
-> Generating .MTREE file...
-> Compressing package...
==> Leaving fakeroot environment.
==> Signing package(s)...
-> Created signature file foo-1.0.r13-1-any.pkg.tar.zst.sig.
==> Finished making: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:10 AM EST)
Package is created and signed. But now I have clue why it fails in chroot. "Public keyring not found"
Building in chroot fails with:
==> ERROR: The key JZGEUTCPDW5SHN3X does not exist in your keyring.
==> ERROR: Build failed, check /mnt/chroots/arch/myrepo1/moscow/build
But now I know it not only a chroot problem.
Key key JZGEUTCPDW5SHN3X is showed in both `gpg -k` and `sudo gpg --homedir /etc/pacman.d/gnupg/ -k` and also both `gpg --finger JZGEUTCPDW5SHN3X` and `sudo gpg --homedir /etc/pacman.d/gnupg/ --finger JZGEUTCPDW5SHN3X`. Here output example:
$ sudo pacman-key --list-sigs 2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
pub rsa3072 2020-10-15 [SC]
2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid [ full ] Moscow Hunt <mh@gmail.com>
sig 3 JZGEUTCPDW5SHN3X 2020-10-15 Moscow Hunt <mh@gmail.com>
sig L 55031C2F942A69BB 2020-10-16 Pacman Keyring Master Key <pacman@localhost>
sub rsa3072 2020-10-15 [E]
sig JZGEUTCPDW5SHN3X 2020-10-15 Moscow Hunt <mh@gmail.com>
I check all these commands and I find no problems.
$ sudo pacman-conf GpgDir
/etc/pacman.d/gnupg/
gpg -K JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ -K JZGEUTCPDW5SHN3X
gpg --finger JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ --finger JZGEUTCPDW5SHN3X
gpg -k
sudo gpg --homedir /etc/pacman.d/gnupg/ -k
gpg -K
sudo gpg --homedir /etc/pacman.d/gnupg/ -K
gpg --check-signatures JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ --check-signatures JZGEUTCPDW5SHN3X
sudo gpg --homedir /etc/pacman.d/gnupg/ --check-signatures master-key.archlinux.org
I paste output of all if requested. master-key.archlinux.org has "gpg: 33 good signatures"
My only non-default settings in /etc/makepkg.conf
BUILDENV=(!distcc color !ccache !check sign)
PACKAGER="Moscow Hunt <mh@gmail.com>"
GPGKEY="JZGEUTCPDW5SHN3X"
My only non-default settings in /etc/pacman.conf
[options]
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
[myrepo1]
Server = file:///home/moscow/repos/$repo/
[myrepo2]
Server = file:///home/moscow/repos/$repo/
[myrepo2]
Server = file:///home/moscow/repos/$repo/
Thanks for looking at my problem and have a great day!
Last edited by moscow-hunt (2021-03-02 00:45:24)
Offline
None of this has anything to do with pacman-key...
makepkg has the ability to run gpg --detach-sign on the built file. This uses $HOME/.gnupg and, in a chroot build, /mnt/chroots/arch/myrepo1/moscow/build/.gnupg
Is your key available in the chroot? Or only on the host?
For the record, official Arch tooling does not use makepkg --sign, but runs makechrootpkg and then manually uses gpg --detach-sign.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
None of this has anything to do with pacman-key...
OK!
Is your key available in the chroot?
No. it get deleted from chroot each build. I think replaced by keyring and trustdb that not contain my key.
I look for all keyring on my system. Outside of chroot, I find GPG keyring in these locations:
/home/moscow/.gnupg/
/etc/pacman.d/gnupg
plus 3 I not touch yet
/usr/share/pacman/keyrings/
/var/lib/archbuild/extra-x86_64/root/etc/pacman.d/gnupg/
/var/lib/archbuild/extra-x86_64/moscow/etc/pacman.d/gnupg/
edit: I not use "Convenience way" to build (extra-x86_64-build). I use mkarchroot and makechrootpkg.
When I first see my key not in chroot, I try this before build:
sudo arch-nspawn "$copydir"/ sudo -u builduser gpg --import my_build_key.sec
sudo arch-nspawn "$copydir"/ sudo -u builduser gpg --list-secret-key JZGEUTCPDW5SHN3X
gpg: Warning: using insecure memory!
sec rsa3072 2020-10-15 [SC]
2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid [unknown] Moscow Hunt <mh@gmail.com>
sub rsa3072 2020-10-15 [E]
ls -1 "$copydir"/build/.gnupg/
private-keys-v1.d
pubring.kbx
pubring.kbx~
S.gpg-agent
S.gpg-agent.browser
S.gpg-agent.extra
S.gpg-agent.ssh
trustdb.gpg
copydir=/mnt/chroots/arch/myrepo1/moscow/ or as needed for my repos.
I see my build key in chroot GPG keyring before running makechrootpkg.
Still build fails with same error:
==> ERROR: The key JZGEUTCPDW5SHN3X does not exist in your keyring.
I check again immediately after running makechrootpkg:
sudo arch-nspawn "$copydir"/ sudo -u builduser gpg --list-secret-key JZGEUTCPDW5SHN3X
gpg: Warning: using insecure memory!
gpg: error reading key: No secret key
ls -1 "$copydir"/build/.gnupg/
pubring.kbx
trustdb.gpg
I set up my chroot as here:
CHROOT="/mnt/chroots/arch"
sudo mount -t tmpfs -o defaults,size=20G tmpfs "/$CHROOT"
mkarchroot "/$CHROOT/root" base-devel git tree
If chroot not new I update
sudo arch-nspawn $CHROOT/root pacman -Syu
In troubleshooting I try both cleaning chroot and not before building package but error not change.
makechrootpkg -c -r $CHROOT
makechrootpkg $CHROOT
For the record, official Arch tooling does not use makepkg --sign, but runs makechrootpkg and then manually uses gpg --detach-sign.
I use makechrootpkg with chroot. I only try makepkg to test outside of chroot for troubleshoot.
makepkg has the ability to run gpg --detach-sign on the built file. This uses $HOME/.gnupg and, in a chroot build, /mnt/chroots/arch/myrepo1/moscow/build/.gnupg
I think makechrootpkg replace keyring on each build and my key then missing. Only started this problem recently. Before, I able to run makechrootpkg and sign my packages. I not aware of any change I make, but somehow I screw up my system. What do I check next. Thank you kindly for your advice eschwartz. Hope you have a great day!
Last edited by moscow-hunt (2021-03-02 02:50:08)
Offline
makechrootpkg -c nukes the chroot and recreates it. So $copydir is destroyed and recreated from $copydir/../root
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
makechrootpkg -c nukes the chroot and recreates it. So $copydir is destroyed and recreated from $copydir/../root
Yes. My build key also disappear when I run without "-c" like so
makechrootpkg $CHROOT
And I view this code in arch-nspawn:
copy_hostconf () {
unshare --fork --pid gpg --homedir "$working_dir"/etc/pacman.d/gnupg/ --no-permission-warning --quiet --batch --import --import-options import-local-sigs "$(pacman-conf GpgDir)"/pubring.gpg >/dev/null 2>&1
pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import-trustdb "$(pacman-conf GpgDir)" >/dev/null 2>&1
I check and verify: $(pacman-conf GpgDir) = /etc/pacman.d/gnupg
I check:
sudo gpg --homedir /etc/pacman.d/gnupg/ --finger JZGEUTCPDW5SHN3X
My build key is found with above command.
I understand copy_hostconf() will copy my build key from /etc/pacman.d/gnupg/ to the chroot. Do I misunderstand? What you think I do wrong?
Offline
Primarily the fact that once again, none of this has to do with pacman-key.
The fact that -c by design nukes the entire chroot is an immediately apparent problem which should be obvious from the output... less obvious is that the builduser's home directory is also nuked regardless...
I do not know what people do in order to do gpg signing in the chroot. I'm happy doing it outside the chroot anyway. Maybe bind-mounting $HOME/.gnupg:/build/.gnupg would work, idk.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
I do not know what people do in order to do gpg signing in the chroot. I'm happy doing it outside the chroot anyway. Maybe bind-mounting $HOME/.gnupg:/build/.gnupg would work, idk.
Im confused because it was working for me straight away. I did not pull any trick to get it to work. It worked until few days ago. But OK, I do it outside of the chroot now too. That OK with me.
However, I try to understand this new warning. I get it outside of the chroot. Any idea?
warning: Public keyring not found; have you run 'pacman-key --init'?
$ makepkg -f
sec rsa3072 2020-10-15 [SC]
2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid [ultimate] Moscow Hunt <mh@gmail.com>
ssb rsa3072 2020-10-15 [E]
==> Making package: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:08 AM EST)
==> Checking runtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Checking buildtime dependencies...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
==> Retrieving sources...
-> Updating foo git repo...
Fetching origin
==> Validating source files with sha256sums...
foo ... Skipped
==> Extracting sources...
-> Creating working copy of foo git repo...
Reset branch 'makepkg'
==> Removing existing $pkgdir/ directory...
==> Entering fakeroot environment...
sec rsa3072 2020-10-15 [SC]
2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X
uid [ultimate] Moscow Hunt <mh@gmail.com>
ssb rsa3072 2020-10-15 [E]
==> Starting package()...
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "foo"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
warning: Public keyring not found; have you run 'pacman-key --init'?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
error: myrepo3: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
error: keyring is not writable
-> Adding install file...
-> Generating .MTREE file...
-> Compressing package...
==> Leaving fakeroot environment.
==> Signing package(s)...
-> Created signature file foo-1.0.r13-1-any.pkg.tar.zst.sig.
==> Finished making: foo 1.0.r13-1 (Mon 01 Mar 2021 02:58:10 AM EST)
You informed me with this
makepkg has the ability to run gpg --detach-sign on the built file. This uses $HOME/.gnupg
I check:
$gpg --homedir $HOME/.gnupg --finger JZGEUTCPDW5SHN3X
pub rsa3072 2020-10-15 [SC]
HTR8 JUN4 E3XQ GXMS 6XAA W8J2 4CXN JZGE UTCP DW5S HN3X
uid [ full ] Moscow Hunt <mh@gmail.com>
sub rsa3072 2020-10-15 [E]
It seems keyring is found and key is present. So why this?
error: myrepo1: key "2827526B3D55D874896FFF05JZGEUTCPDW5SHN3X" is unknown
Thank you again for reading my question. Hop you have a great day!
Offline
Maybe this has to do with signing repositories and not with signing packages ?
For clarity :
Does pacman accept your key when you try to install a package signed with your key using pacman -U ?
please post the section in pacman.conf that declares your personal repo.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
Maybe this has to do with signing repositories and not with signing packages ?
Thank you for idea!
Does pacman accept your key when you try to install a package signed with your key using pacman -U ?
$ ls -la
-rw-r--r-- 1 moscow moscow 28573 Mar 2 02:18 foo-1.0.r13-1-any.pkg.tar.zst
-rw-r--r-- 1 moscow moscow 438 Mar 2 02:18 foo-1.0.r13-1-any.pkg.tar.zst.sig
$ sudo pacman -U foo-1.0.r13-1-any.pkg.tar.zst
loading packages...
resolving dependencies...
looking for conflicting packages...
Packages (1) foo-1.0.r13-1
Total Installed Size: 0.08 MiB
:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring [################################################################################################################################] 100%
(1/1) checking package integrity [################################################################################################################################] 100%
(1/1) loading package files [################################################################################################################################] 100%
(1/1) checking for file conflicts [################################################################################################################################] 100%
(1/1) checking available disk space [################################################################################################################################] 100%
:: Running pre-transaction hooks...
(1/1) Performing snapper pre snapshots for the following configurations...
==> root: 897
:: Processing package changes...
(1/1) installing foo [################################################################################################################################] 100%
:: Running post-transaction hooks...
(1/1) Performing snapper post snapshots for the following configurations...
==> root: 898
please post the section in pacman.conf that declares your personal repo.
The only non-default settings in /etc/pacman.conf (from top post)
[options]
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
[myrepo1]
Server = file:///home/moscow/repos/$repo/
[myrepo2]
Server = file:///home/moscow/repos/$repo/
[myrepo2]
Server = file:///home/moscow/repos/$repo/
Offline
Time to check repo structure / content.
$ ls -lR /home/moscow/repos/myrepo1/
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline