Arch Linux

ALEXez

Member

Registered: 2022-07-29

Posts: 4

"invalid public key" while installing mingw-w64-libgcrypt

I'm trying to install mingw-w64-libgcrypt using yay

$ yay -S mingw-w64-libgcrypt
:: Checking for conflicts...
:: Checking for inner conflicts...
[Aur:1]  mingw-w64-libgcrypt-1.10.1-1

  1 mingw-w64-libgcrypt                      (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> a
:: Deleting (1/1): /home/user/.cache/yay/mingw-w64-libgcrypt
:: (1/1) Downloaded PKGBUILD: mingw-w64-libgcrypt
  1 mingw-w64-libgcrypt                      (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> n
:: (1/1) Parsing SRCINFO: mingw-w64-libgcrypt
==> Making package: mingw-w64-libgcrypt 1.10.1-1 (Fri 29 Jul 2022 12:16:41 CEST)
==> Retrieving sources...
  -> Downloading libgcrypt-1.10.1.tar.bz2...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3689k  100 3689k    0     0  5016k      0 --:--:-- --:--:-- --:--:-- 5020k
  -> Downloading libgcrypt-1.10.1.tar.bz2.sig...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   238  100   238    0     0   1169      0 --:--:-- --:--:-- --:--:--  1166
  -> Found libgcrypt-use-correct-def-file.patch
  -> Found Smarter-fig2dev-detection.all.patch
==> Validating source files with sha1sums...
    libgcrypt-1.10.1.tar.bz2 ... Passed
    libgcrypt-1.10.1.tar.bz2.sig ... Skipped
    libgcrypt-use-correct-def-file.patch ... Passed
    Smarter-fig2dev-detection.all.patch ... Passed
==> Verifying source file signatures with gpg...
    libgcrypt-1.10.1.tar.bz2 ... FAILED (invalid public key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD)
==> ERROR: One or more PGP signatures could not be verified!
 -> error downloading sources: mingw-w64-libgcrypt 
         context: exit status 1 
         

==> Making package: mingw-w64-libgcrypt 1.10.1-1 (Fri 29 Jul 2022 12:16:43 CEST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found libgcrypt-1.10.1.tar.bz2
  -> Found libgcrypt-1.10.1.tar.bz2.sig
  -> Found libgcrypt-use-correct-def-file.patch
  -> Found Smarter-fig2dev-detection.all.patch
==> Validating source files with sha1sums...
    libgcrypt-1.10.1.tar.bz2 ... Passed
    libgcrypt-1.10.1.tar.bz2.sig ... Skipped
    libgcrypt-use-correct-def-file.patch ... Passed
    Smarter-fig2dev-detection.all.patch ... Passed
==> Verifying source file signatures with gpg...
    libgcrypt-1.10.1.tar.bz2 ... FAILED (invalid public key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD)
==> ERROR: One or more PGP signatures could not be verified!
 -> error making: mingw-w64-libgcrypt

I don't completely understand what should I do with GPG keys, but looks like I can import the key which is invalid.

$ gpg --recv-keys AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD
gpg: key E98E9B2D19C6C8BD: "Niibe Yutaka (GnuPG Release Key)" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

But it's already present and cannot be updated since it's valid. So what am I doing wrong here?

loqs

Member

Registered: 2014-03-06

Posts: 18,053

Re: "invalid public key" while installing mingw-w64-libgcrypt

Similar to https://bugs.archlinux.org/task/74990 the signature file has been replaced by one signed by two keys.

ALEXez

Member

Registered: 2022-07-29

Posts: 4

Re: "invalid public key" while installing mingw-w64-libgcrypt

Similar to https://bugs.archlinux.org/task/74990 the signature file has been replaced by one signed by two keys.

Am I right that I can't do anything for now? Because the instruction from Dong Xu (eastdong) there doesn't work for me.

loqs

Member

Registered: 2014-03-06

Posts: 18,053

Re: "invalid public key" while installing mingw-w64-libgcrypt

Add the AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD key to the validpgpkeys array

git diff
diff --git a/PKGBUILD b/PKGBUILD
index 218dd9b..1ac367d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,7 +17,8 @@ sha1sums=('de2cc32e7538efa376de7bf5d3eafa85626fb95f'
           'SKIP'
           '0f03d59dee4b967dfa80621ef4b1efea61772c16'
           '3613a5454aeaef8d264011f2bc9f2303248fb933')
-validpgpkeys=('6DAA6E64A76D2840571B4902528897B826403ADA') # Werner Koch
+validpgpkeys=('6DAA6E64A76D2840571B4902528897B826403ADA') # Werner Koch (dist signing 2020)
+validpgpkeys+=('AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD') # Niibe Yutaka (GnuPG Release Key)
 _architectures="i686-w64-mingw32 x86_64-w64-mingw32"
 
 prepare() {

ALEXez

Member

Registered: 2022-07-29

Posts: 4

Re: "invalid public key" while installing mingw-w64-libgcrypt

Add the AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD key to the validpgpkeys array

git diff
diff --git a/PKGBUILD b/PKGBUILD
index 218dd9b..1ac367d 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -17,7 +17,8 @@ sha1sums=('de2cc32e7538efa376de7bf5d3eafa85626fb95f'
           'SKIP'
           '0f03d59dee4b967dfa80621ef4b1efea61772c16'
           '3613a5454aeaef8d264011f2bc9f2303248fb933')
-validpgpkeys=('6DAA6E64A76D2840571B4902528897B826403ADA') # Werner Koch
+validpgpkeys=('6DAA6E64A76D2840571B4902528897B826403ADA') # Werner Koch (dist signing 2020)
+validpgpkeys+=('AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD') # Niibe Yutaka (GnuPG Release Key)
 _architectures="i686-w64-mingw32 x86_64-w64-mingw32"
 
 prepare() {

But shouldn't it be done by the maintainer of the package? I mean, maybe they should be informed somehow.

loqs

Member

Registered: 2014-03-06

Posts: 18,053

Re: "invalid public key" while installing mingw-w64-libgcrypt

I mean, maybe they should be informed somehow.

Leave a message on https://aur.archlinux.org/packages/mingw-w64-libgcrypt?

ALEXez

Member

Registered: 2022-07-29

Posts: 4

Re: "invalid public key" while installing mingw-w64-libgcrypt

I mean, maybe they should be informed somehow.

Leave a message on https://aur.archlinux.org/packages/mingw-w64-libgcrypt?

Okay, it's done, I was just checking out maybe there are some other ways. Thanks.