[Solved]PGP keys for AUR packages

alysher · 2022-01-08 03:21:20

Is there a LEGIMITE place to "acquire" pgp keys for aur packages? I ask this question in this manner because the wiki on the AUR says to get a key, but does not say where to get them from, only information about the validpkgkeys array in the PKGBUILID and .sig files, neither of which can be imported with gpg.

Now i get that AUR is "not recommended" and "at your own risk": Official cant verify them, yada yada, but then the package maintainers have to maintain their keys with their packages. You would think that there would be a central location to find these keys, one that is listed in the wiki.

So where does one find the keys? Public keyserver? WHERE? which ones wont fill me up with viruses? which ones can be trusted?

My apologies for being rude, as i have spent the past 6 hours trying to install several packages only to be stopped by this one thing multiple times - and with an unclear wiki its more then just a problem for me, its real life pain.

Last edited by alysher (2022-01-11 23:47:32)

Scimmia · 2022-01-08 03:46:17

https://wiki.archlinux.org/title/GnuPG#Use_a_keyserver

alysher · 2022-01-08 05:35:37

My apologies scimmia, but that was not what i was asking about. i see the keyservers listed there, but NONE ARE ARCH LINUX SPECIFIC, and none are said to be "valid" or legitimate for AUR packages.

I didnt want some RANDOM KEYSERVER. i want one specific to arch linux or one Recommended by those that maintain the AUR, and it shouldnt be a CHALLENGE to figure the mess out.

now if i am supposed to use one of those servers, well which one is recommended? will it work for ALL the packages? do i have to import for each one?

the entire explanation of how to get a key for a package from the AUR is lacking, but im willing to figure out how to do this so others dont have to fight it in the future.

jasonwryan · 2022-01-08 07:07:12

alysher wrote:

My apologies scimmia, but that was not what i was asking about. i see the keyservers listed there, but NONE ARE ARCH LINUX SPECIFIC, and none are said to be "valid" or legitimate for AUR packages.
I didnt want some RANDOM KEYSERVER. i want one specific to arch linux or one Recommended by those that maintain the AUR, and it shouldnt be a CHALLENGE to figure the mess out.
now if i am supposed to use one of those servers, well which one is recommended? will it work for ALL the packages? do i have to import for each one?
the entire explanation of how to get a key for a package from the AUR is lacking, but im willing to figure out how to do this so others dont have to fight it in the future.

There is no Arch-approved keyserver, that is not how PGP works. Keys are. theoretically, distributed across keyservers. See https://en.wikipedia.org/wiki/Key_serve … keyservers

And, yes, you will have to import the keys of each of the signatories of the respective packages.

seth · 2022-01-08 07:58:28

alysher wrote:

the entire explanation of how to get a key for a package from the AUR is lacking, but im willing to figure out how to do this so others dont have to fight it in the future.

Yeah, eventually we all had to fight through elementary school and the entire alphabet to master the enigma that is RTFW…

https://wiki.archlinux.org/title/Arch_U … _if_needed links https://wiki.archlinux.org/title/Makepk … e_checking links https://wiki.archlinux.org/title/GnuPG# … public_key and https://wiki.archlinux.org/title/GnuPG#Use_a_keyserver which says

The wiki wrote:

$ gpg --search-keys user-id
$ gpg --recv-keys key-id

and https://wiki.archlinux.org/title/GnuPG#Key_servers right tells you how to configure what potential keyservers…

Lone_Wolf · 2022-01-08 13:33:00

Keep in mind that those keys are not used for the aur packages, but to validate the upstream sources used in the package.

You could try visiting the upstream sites as many developers lists their keys on their site.
one example : https://xyne.dev/

alysher · 2022-01-09 21:25:50

jasonwryan wrote:

There is no Arch-approved keyserver, that is not how PGP works. Keys are. theoretically, distributed across keyservers. See https://en.wikipedia.org/wiki/Key_serve … keyservers
And, yes, you will have to import the keys of each of the signatories of the respective packages.

so some key servers are public, and keys are not used only for aur packages but for all sorts of online signing.

devs upload their key to a keyserver - say xyz.com. or ubuntu.com. or they create their own keyserver, where only their key lives on it.

what determines what is an acceptable place to upload a key? If i were to make a package for the aur, all other considerations aside, where would one upload a key so as to make it look like i want people to use my software? how am i supposed to tell them where to find the key if they need it when it changes?

everyone knows not to randomly download keys, but how is using a random keyserver any different? shouldnt there be an "official stance" on where to find a key for a given package in the aur?

Some package devs are kind enough to put them in the comments of their AUR listing, but some expect you to just "figure it out". kinda hard to not get random keys when you dont know where to find a legitimate ones, right?

@seth - you missed what i was asking about, sry there. i am autistic, and thinking different is what i do.

@lone_wolf - thanks, ill see what i can find there.

Last edited by alysher (2022-01-09 21:27:32)

jasonwryan · 2022-01-09 21:31:43

The PGP keyservers mirror each other (at least theoretically). I upolad my key to say, http://pgp.net.nz and the it is propagated to mit, ubuntu, etc so that users can download it from the keyserver of their choice. This is all explained in the wikipedia article I linked to.

Every PKGBUILD has the key fingerprint in it: if you trust the packager (and that is on you), then you can import the key. You can cross check before doing so by looking at the upstream page, or the developers website, or wherever it is they publish their details... Like the rest of the AUR, users are expected to use their judgement when assessing the integrity of packages.

alysher · 2022-01-09 22:21:34

jasonwryan wrote:

The PGP keyservers mirror each other (at least theoretically). I upolad my key to say, http://pgp.net.nz and the it is propagated to mit, ubuntu, etc so that users can download it from the keyserver of their choice. This is all explained in the wikipedia article I linked to.
Every PKGBUILD has the key fingerprint in it: if you trust the packager (and that is on you), then you can import the key. You can cross check before doing so by looking at the upstream page, or the developers website, or wherever it is they publish their details... Like the rest of the AUR, users are expected to use their judgement when assessing the integrity of packages.

Thank you for explaining this, i missed that they mirror each other. its not obvious like on the downloads page for the iso/torrent. even the wikipedia article is vague on that.

what do you mean "Every PKGBUILD has the key fingerprint in it"? what is the fingerprint? how does that relate to the key and the importing of such?

tbh there is so much info in any given pkgbuild file that most times i dont even get half of what im looking at, other then making sure nothing looks hinky. now i get the sources part has validpkgarray that i ignore cause i dont get, so maybe this has something to do with it

seth · 2022-01-09 22:33:46

https://wiki.archlinux.org/title/PKGBUILD#validpgpkeys
https://en.wikipedia.org/wiki/Pretty_Go … ingerprint

alysher · 2022-01-09 22:45:32

seth wrote:

https://wiki.archlinux.org/title/PKGBUILD#validpgpkeys
https://en.wikipedia.org/wiki/Pretty_Go … ingerprint

Your "elitest" attitude not withstanding, thanks, but what is KEYID? and this only gets me half way. im doing the best i can here, communication is HARD for me, in all its forms.

how do i extract the correct key from PKGBUILD - they do have multiple keys in there normally. cat PKGBUID | grep ?????

I get that you struggled, can we try to make things easier for others in the future please?

seth · 2022-01-09 22:47:56

Idk what's wrong with you, but I'm out of this - assuming you're just trolling.

alysher · 2022-01-09 22:51:49

seth wrote:

Idk what's wrong with you, but I'm out of this - assuming you're just trolling.

i told you what is wrong with me - i am Autistic. Means my brain works in a different fashion the most people expect. i connect the dots in a different way than you do. you keep expecting me to do something i have already found out causes me to be in actual pain, and im asking for your help. its fine if you cant, thats your call.

see you around seth.

Last edited by alysher (2022-01-09 22:57:07)

loqs · 2022-01-09 22:55:11

alysher wrote:

how do i extract the correct key from PKGBUILD - they do have multiple keys in there normally. cat PKGBUID | grep ?????

If you run makepkg and the public key is not in the users keyring, makepkg will fail and report the missing public key.
Edit:

makepkg
==> Making package: shadow 4.11.1-1 (Sun 09 Jan 2022 23:00:42 UTC)
==> Retrieving sources...
  -> Found shadow-4.11.1.tar.xz
  -> Found shadow-4.11.1.tar.xz.asc
  -> Found shadow-4.8-ignore-login-prompt.patch
  -> Found unsupported-options.patch
  -> Found login.defs-arch.patch
  -> Found FS66068.patch
  -> Found FS71393.patch
  -> Found LICENSE
  -> Found chgpasswd
  -> Found chpasswd
  -> Found defaults.pam
  -> Found newusers
  -> Found passwd
  -> Found shadow.timer
  -> Found shadow.service
  -> Found useradd.defaults
==> Validating source files with sha1sums...
    shadow-4.11.1.tar.xz ... Passed
    shadow-4.11.1.tar.xz.asc ... Skipped
    shadow-4.8-ignore-login-prompt.patch ... Passed
    unsupported-options.patch ... Passed
    login.defs-arch.patch ... Passed
    FS66068.patch ... Passed
    FS71393.patch ... Passed
    LICENSE ... Passed
    chgpasswd ... Passed
    chpasswd ... Passed
    defaults.pam ... Passed
    newusers ... Passed
    passwd ... Passed
    shadow.timer ... Passed
    shadow.service ... Passed
    useradd.defaults ... Passed
==> Verifying source file signatures with gpg...
    shadow-4.11.1.tar.xz ... FAILED (unknown public key 3570DA17270ACE24)
==> ERROR: One or more PGP signatures could not be verified!
$ gpg --search-keys 3570DA17270ACE24
gpg: data source: https://162.213.33.9:443
(1)	Serge Hallyn <sergeh@kernel.org>
	Serge Hallyn (kernel.org) <serge@hallyn.com>
	  2048 bit RSA key B175CFA98F192AF2, created: 2012-05-07
Keys 1-1 of 1 for "3570DA17270ACE24".  Enter number(s), N)ext, or Q)uit > 1
gpg: key B175CFA98F192AF2: public key "Serge Hallyn <sergeh@kernel.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --list-keys 3570DA17270ACE24
pub   rsa2048 2012-05-07 [SC]
      66D0387DB85D320F8408166DB175CFA98F192AF2
uid           [ unknown] Serge Hallyn <sergeh@kernel.org>
uid           [ unknown] Serge Hallyn (kernel.org) <serge@hallyn.com>
sub   rsa2048 2019-10-20 [A]
sub   rsa2048 2019-10-20 [E]
sub   rsa2048 2019-10-20 [S]
sub   rsa2048 2012-05-07 [E]

Last edited by loqs (2022-01-09 23:04:42)

alysher · 2022-01-09 23:07:06

Thanks Ioqs, i think i get what you mean. let me see if i got this strait. if the key isnt in my systems database, the key is shown on screen, i then do what? import it? search the pkgbuild for the correct one and then import from a keyserver?

key
KEYID
Fingerprint

none of these terms are explained in that Archwiki well, and the gpg page is not linked to the wikipedia article so all this is new information for me: key and fingerprint are not the same but fingerprint can be used to install the key, i can find the fingerprint in the pkgbuild, a key is shown if makepkg returns that the key is not in the database, and that gpg --list-keys --fingerprint KEYID is somehow involved as well.

im getting there. thanks for the help so far

loqs · 2022-01-09 23:08:56

See my edit above which shows an example of the process.

alysher · 2022-01-09 23:19:28

AH HA, KEYID=Fingerprint. Retorical question - why use two different words for the same concept in the same document? its like trying to teach a goat to sing.

and the --search-keys listing on the gnupg page has no info about the ability to import it at the time you search for it, thats kinda cool.

thanks everyone for the help in dealing with my confusions over this entire matter. my apologies to any who i upset, not intentional, just pure observation. Thanks to all of you, you too seth

Trilby · 2022-01-09 23:21:40

alysher wrote:

i told you what is wrong with me - i am Autistic. Means my brain works in a different fashion the most people expect.

But it doesn't mean you get a free pass on insulting people who are trying to help you. That is not a result of autism, it is the result of you being rude, and using your diagnosis as an excuse for rude behavior is unacceptable (not to mention insulting to others with related diagnoses).

alysher · 2022-01-09 23:27:26

Trilby wrote:

alysher wrote:
i told you what is wrong with me - i am Autistic. Means my brain works in a different fashion the most people expect.
But it doesn't mean you get a free pass on insulting people who are trying to help you. That is not a result of autism, it is the result of you being rude, and using your diagnosis as an excuse for rude behavior is unacceptable (not to mention insulting to others with related diagnoses).

My aplolgies Triby but how did i insult seth? other then pointing out how he was treating me that is? i didnt call him names or intentionally make him feel bad, i just pointed out how he was treating me. I am blunt because i have no access to certian parts of my memory when in certian types of pain, and being treated like i should "understand" this, ie like a moron, is that kind of pain.

Trilby · 2022-01-09 23:55:52

Calling someone "elitist" for providing you two links that directly answer the question you were asking is not really justified. Though I suppose that may be subjective. What isn't subjective is that responding like that will quickly alienate anyone who was willing to help you.

You want the benefit of the doubt that you weren't trying to insult and make others feel bad? Ok, but why can't you give the same to others who are only posting here in order to help you?

loqs · 2022-01-09 23:59:00

alysher wrote:

AH HA, KEYID=Fingerprint. Retorical question - why use two different words for the same concept in the same document? its like trying to teach a goat to sing.

Fingerprint and key ID are not the same. See the last sentence of Public_key_fingerprint#Public_key_fingerprints_in_practice
In my example the key ID was 3570DA17270ACE24 while the fingerprint was 66D0387DB85D320F8408166DB175CFA98F192AF2.

alysher · 2022-01-10 00:22:49

i get what you mean trilby, and if you noticed i gave him the benifit of the doubt first, once. i kindly said "you missed what i was asking about, sry there" with my first response. i took it on myself, figured i had explained it in a way that didnt quite make sense to him, i just didnt try to explain any further because trying would have caused me to lash out in pain at him instead of be nice. if you have a word better then "elitiest" in the dictionary for treating someone like you are better then they are just cause they have a difficult time understanding things, i would love to know about it. <--EDIT make that my second response i said that in, the first one blanked my mind too. totally forgot that one happened.

Ioqs, oh, well hmm. now that makes the search function more understandable, i should be listing keys first, then matching them to the search results. makes sense now that i understand.

Last edited by alysher (2022-01-10 01:08:26)

Arch Linux

#1 2022-01-08 03:21:20

[Solved]PGP keys for AUR packages

#2 2022-01-08 03:46:17

Re: [Solved]PGP keys for AUR packages

#3 2022-01-08 05:35:37

Re: [Solved]PGP keys for AUR packages

#4 2022-01-08 07:07:12

Re: [Solved]PGP keys for AUR packages

#5 2022-01-08 07:58:28

Re: [Solved]PGP keys for AUR packages

#6 2022-01-08 13:33:00

Re: [Solved]PGP keys for AUR packages

#7 2022-01-09 21:25:50

Re: [Solved]PGP keys for AUR packages

#8 2022-01-09 21:31:43

Re: [Solved]PGP keys for AUR packages

#9 2022-01-09 22:21:34

Re: [Solved]PGP keys for AUR packages

#10 2022-01-09 22:33:46

Re: [Solved]PGP keys for AUR packages

#11 2022-01-09 22:45:32

Re: [Solved]PGP keys for AUR packages

#12 2022-01-09 22:47:56

Re: [Solved]PGP keys for AUR packages

#13 2022-01-09 22:51:49

Re: [Solved]PGP keys for AUR packages

#14 2022-01-09 22:55:11

Re: [Solved]PGP keys for AUR packages

#15 2022-01-09 23:07:06

Re: [Solved]PGP keys for AUR packages

#16 2022-01-09 23:08:56

Re: [Solved]PGP keys for AUR packages

#17 2022-01-09 23:19:28

Re: [Solved]PGP keys for AUR packages

#18 2022-01-09 23:21:40

Re: [Solved]PGP keys for AUR packages

#19 2022-01-09 23:27:26

Re: [Solved]PGP keys for AUR packages

#20 2022-01-09 23:55:52

Re: [Solved]PGP keys for AUR packages

#21 2022-01-09 23:59:00

Re: [Solved]PGP keys for AUR packages

#22 2022-01-10 00:22:49

Re: [Solved]PGP keys for AUR packages

Board footer