You are not logged in.
Pages: 1
Hi Arch
I've been switching over from Debian distros and really liking the Arch a lot! But I am posting here because I have been having a big problem getting around a PGP verification issue that is keeping me from progressing and fully adopting this distro.
I am trying to build a kernel using the arch asp and makepkg tools. I enter the following commands in a new directory:
asp update linux
asp export linux
makepkg -s
It goes through all the git repo download activities but then before beyond that, proclaims that there is an error verifying the PGP signature:
archlinux-linux git repo ... FAILED (unknown public key 3B94A80E50A477C7)
I found out online that this key signature belongs to developer Jan Alexander Steffens (heftig). When I look inside the PKGBUILD file, it lists another key signature for this person: A2FF3A36AAA56654109064AB19802F8B0D70FC30.
How do I get Arch to use this key? It knows the correct key but it will not use it. So strange! Somehow, I have to import this key into my key ring? But yet I tried a million incantations recommended by people online of updating the local keyring. Indeed, I have the A2FF key installed on the pacman keyring:
gpg --homedir /etc/pacman.d/gnupg --list-keys | grep -A 10 -B 10 heftig
A2FF3A36AAA56654109064AB19802F8B0D70FC30
uid [ undef ] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid [ full ] Jan Alexander Steffens (heftig) <heftig@archlinux.org>
uid [ undef ] Jan Alexander Steffens (heftig) <jan.steffens@ltnglobal.com>
Can someone help me? I am struggling with this issue big time. If this should be posted in a different sub forum, I will gladly move this post. I considered it a newbie issue because the PGP is a basic issue that need to be correctly setup to use the arch distro.
Thanks
Jay
Last edited by jayt0808 (2022-03-30 20:35:26)
Offline
makepkg and pacman are two separate things, so makepkg doesn't use pacman's keyring to verify sources. Really, it's extremely rare that the same person would sign the upstream release and the package anyway. makepkg uses the user's keyring, so that's where you need to import the key in question. See the makepkg wiki page.
Offline
I did import to my local keyring as well that is not associated with pacman:
[jayt@archippus linux]$ gpg --list-keys heftig
pub ed25519 2020-05-11 [SC]
A2FF3A36AAA56654109064AB19802F8B0D70FC30
uid [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid [ unknown] Jan Alexander Steffens (heftig) <heftig@archlinux.org>
uid [ unknown] Jan Alexander Steffens (heftig) <jan.steffens@ltnglobal.com>
sub ed25519 2020-05-11 [A]
sub cv25519 2020-05-11 [E]
Still doesn't work
Offline
I don't know if it's been fixed but...
Offline
as requested in the link given:
can someone tell me how do I setup to use a different key server? Is this a default setting in the distro somewhere?
Also, this 19802F key is different than the one listed in the PKGBUILD file. How do I know in the future which key to import to my local gpg? I'd think that I just had to import the keys shown in the PKGBUILD file. But yet the 19802F key is not listed there.
Offline
Offline
I changed the key server to hkps://keys.openpgp.org as requested:
[jayt@archippus linux]$ cat ~/.gnupg/dirmngr.conf
keyserver hkps://keys.openpgp.org
This didn't change the result of failed key verification. I also tried to add the two keys after doing this:
[jayt@archippus linux]$ gpg --recv-keys 3B94A80E50A477C7
gpg: key 19802F8B0D70FC30: rejected by import screener
gpg: Total number processed: 1
[jayt@archippus linux]$ gpg --recv-keys 19802F8B0D70FC30
gpg: key 19802F8B0D70FC30: 6 duplicate signatures removed
gpg: key 19802F8B0D70FC30: 1 bad signature
gpg: key 19802F8B0D70FC30: 6 signatures reordered
gpg: key 19802F8B0D70FC30: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
After each of these changes, I tried to verify the pgp with makepkg:
[jayt@archippus linux]$ makepkg --verifysource > /dev/null
archlinux-linux ... Skipped
config ... Passed
archlinux-linux git repo ... FAILED (unknown public key 3B94A80E50A477C7)
==> ERROR: One or more PGP signatures could not be verified!
Any other ideas?
Offline
Did you restart dirmgr?
gpg --keyserver 'hkps://keys.openpgp.org' --receive-keys 3B94A80E50A477C7Edit: please also use code tags, https://bbs.archlinux.org/help.php#bbcode
Last edited by seth (2022-03-30 14:52:13)
Offline
yes, that works Seth. Thank you so much. That is also a general solution that allows me to use the key that was cited in the error message as one I need to add, instead of trying to figure out which other key should be added. I.e. the key in the PKGBUILD is different but is not something I need to be concerned with.
Offline
"pkill dirmngr" should™ get you the updated config and the desired keyserver by default, see the green box in https://wiki.archlinux.org/title/GnuPG#Key_servers
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Offline
The key isn't different, exactly, it's a subkey, so getting one is the same as getting the other.
Offline
how do I change the post title?
Offline
Edit the first post...
CoC - How to post
Offline
Thanks you guys! You've provided great support. I'm impressed by the Arch community so far. I got my kernel built as well...
Offline
Pages: 1