You are not logged in.
Hi there,
All of the sudden I started getting PGP keys errors when trying to upgrade my system:
~: sudo pacman -Syu
(194/194) checking keys in keyring [####################################################################] 100%
downloading required keys...
:: Import PGP key 9B7A287D9A2EC608, "David Runge <dvzrv@archlinux.org>"? [Y/n] y
error: key "9B7A287D9A2EC608" could not be looked up remotely
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.
After reading some posts here I decided to perform a full refresh of the keyring:
sudo su
rm -R /etc/pacman.d/gnupg/
rm -R /root/.gnupg
gpg --refresh-keys
dirmngr </dev/null
pacman-key --init
pacman-key --populate
pacman-key --refresh-keys
Now, the last command [pacman-key --refresh-keys] fails with lots of errors like the one bellow:
gpg: error retrieving 'eworm@archlinux.org' via WKD: Server indicated a failure
gpg: error reading key: Server indicated a failure
gpg: error retrieving 'arch@eworm.de' via WKD: Server indicated a failure
gpg: error reading key: Server indicated a failure
gpg: refreshing 1 key from hkp://keyserver.ubuntu.com
gpg: keyserver refresh failed: Server indicated a failure
==> ERROR: Could not update key: A6234074498E9CEE
I can successfully telnet to keyserver.ubuntu.com on port 11371.
I'm at a loss, I definitely need some help, please.
Thanks in advance.
Last edited by mdcclxv (2023-09-04 23:00:40)
Offline
gpg -v --keyserver hkp://keyserver.ubuntu.com --search-keys arch@eworm.de
gpg -v --keyserver hkps://keyserver.ubuntu.com --search-keys arch@eworm.de
Is your system time ok?
Offline
Yes, my system time is ok, forgot to mention that, it was one the first things mentioned in the posts I read.
No luck:
~: gpg -v --keyserver hkp://keyserver.ubuntu.com --search-keys arch@eworm.de
gpg: enabled compatibility flags:
gpg: error searching keyserver: Server indicated a failure
gpg: keyserver search failed: Server indicated a failure
~: gpg -v --keyserver hkps://keyserver.ubuntu.com --search-keys arch@eworm.de
gpg: enabled compatibility flags:
gpg: error searching keyserver: Server indicated a failure
gpg: keyserver search failed: Server indicated a failure
Offline
What is the output from the following?
$ killall dirmgr
$ mkdir /tmp/gnupg
$ gpg --homedir /tmp/gnupg/ --auto-key-locate 'clear,nodefault,wkd' -v --locate-external-key 'eworm@archlinux.org'
Edit:
Sorry bad command removed --nodefault-keyring which was --no-default-keyring misspelled but not needed and added `killall dirmngr` to get rid of old instances.
Last edited by loqs (2023-09-05 09:54:00)
Offline
MIght also be a dns issue, https://bbs.archlinux.org/viewtopic.php … 4#p1983374
Offline
What is the output from the following?
$ killall dirmgr $ mkdir /tmp/gnupg $ gpg --homedir /tmp/gnupg/ --auto-key-locate 'clear,nodefault,wkd' -v --locate-external-key 'eworm@archlinux.org'
~: killall dirmgr
dirmgr: no process found
~: mkdir /tmp/gnupg
~: gpg --homedir /tmp/gnupg/ --auto-key-locate 'clear,nodefault,wkd' -v --locate-external-key 'eworm@archlinux.org'
gpg: WARNING: unsafe permissions on homedir '/tmp/gnupg'
gpg: enabled compatibility flags:
gpg: keybox '/tmp/gnupg/pubring.kbx' created
gpg: /tmp/gnupg/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to dirmngr established
gpg: error retrieving 'eworm@archlinux.org' via WKD: Server indicated a failure
gpg: error reading key: Server indicated a failure
If it was a DNS issue I wouldn't be able to
telnet keyserver.ubuntu.com 11371
Offline
telnet uses nss, gpg afaict doesn't - depending on your resolver (resolved?) this might still be an issue.
gpg --debug 1024 --keyserver http://162.213.33.9 --search-keys 'eworm@archlinux.org'
Offline
Still no luck
~: gpg --debug 1024 --keyserver http://162.213.33.9 --search-keys 'eworm@archlinux.org'
gpg: reading options from '[cmdline]'
gpg: enabled debug flags: ipc
gpg: enabled compatibility flags:
gpg: DBG: chan_3 <- # Home: /root/.gnupg
gpg: DBG: chan_3 <- # Config: /root/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.41 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.41
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear http://162.213.33.9
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_SEARCH -- eworm@archlinux.org
gpg: DBG: chan_3 <- ERR 167772346 No keyserver available <Dirmngr>
gpg: error searching keyserver: No keyserver available
gpg: keyserver search failed: No keyserver available
gpg: DBG: chan_3 -> BYE
gpg: secmem usage: 0/32768 bytes in 0 blocks
~: ping 162.213.33.9
PING 162.213.33.9 (162.213.33.9) 56(84) bytes of data.
^C
--- 162.213.33.9 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8101ms
~: traceroute 162.213.33.9
traceroute to 162.213.33.9 (162.213.33.9), 30 hops max, 60 byte packets
1 _gateway (10.1.1.254) 0.529 ms 1.155 ms 0.632 ms
2 10.0.0.1 (10.0.0.1) 2.276 ms 2.223 ms 2.499 ms
3 10.30.3.129 (10.30.3.129) 2.810 ms 3.053 ms 2.265 ms
4 10.220.187.231 (10.220.187.231) 21.061 ms 10.220.187.246 (10.220.187.246) 41.902 ms 10.220.187.238 (10.220.187.238) 36.165 ms
5 Te0-0-0-0-pr2.FRA.router.colt.net (80.81.193.61) 22.084 ms 21.619 ms et-0-0-1-pr2.AMS.router.colt.net (80.249.208.236) 33.859 ms
6 193.114.170.203 (193.114.170.203) 35.461 ms 33.268 ms 212.74.70.106 (212.74.70.106) 33.493 ms
7 cust-BHX-BHX-E5S002885-p5-1-0.bhx-1.bir.bir.uk.colt.net (213.86.95.38) 35.019 ms 34.561 ms 32.980 ms
8 ninjask.canonical.com (91.189.93.204) 32.416 ms 32.455 ms 32.495 ms
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Offline
The server doesn't respond to ICMP requests, the paing failure is normal.
Let's make sure that's not a leftover out of dirmngr (how long took it until the failure?)
gpg --debug 1024 --keyserver http://162.213.33.9 --search-keys 'torvalds'
Offline
The failure is instant, there's no waiting at all between log lines being printed, if that's what you're asking.
~: gpg --debug 1024 --keyserver http://162.213.33.9 --search-keys 'torvalds'
gpg: reading options from '[cmdline]'
gpg: enabled debug flags: ipc
gpg: enabled compatibility flags:
gpg: DBG: chan_3 <- # Home: /root/.gnupg
gpg: DBG: chan_3 <- # Config: /root/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.41 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.41
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear http://162.213.33.9
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_SEARCH -- torvalds
gpg: DBG: chan_3 <- ERR 167772346 No keyserver available <Dirmngr>
gpg: error searching keyserver: No keyserver available
gpg: keyserver search failed: No keyserver available
gpg: DBG: chan_3 -> BYE
gpg: secmem usage: 0/32768 bytes in 0 blocks
Offline
The failure is instant, there's no waiting at all between log lines being printed
The keyservers aren't that fast.
pacman -Qikk gnupg
tail -n1000 {/etc/,~/.}gnupg/{dirmngr,gpg}.conf
In ~/.gnupg/dirmngr.conf add
log-file /tmp/dirmngr.log
debug-level guru
then "pkill dirmngr" and query the server again, post the log.
Offline
~: pacman -Qikk gnupg
Name : gnupg
Version : 2.2.41-1
Description : Complete and free implementation of the OpenPGP standard
Architecture : x86_64
URL : https://www.gnupg.org/
Licenses : BSD custom custom:CC0 GPL2 GPL3 LGPL3 LGPL2.1 MIT
Groups : None
Provides : None
Depends On : bzip2 libbz2.so=1.0-64 glibc gnutls libgcrypt libgpg-error libksba libassuan libassuan.so=0-64 npth libnpth.so=0-64 pinentry readline libreadline.so=8-64
sqlite zlib
Optional Deps : libldap: gpg2keys_ldap [installed]
libusb-compat: scdaemon
pcsclite: scdaemon [installed]
Required By : gpgme pacman
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 8.57 MiB
Packager : Levente Polyak <anthraxx@archlinux.org>
Build Date : Fri 24 Feb 2023 05:44:11 PM EET
Install Date : Tue 07 Mar 2023 05:00:32 PM EET
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
gnupg: 222 total files, 0 altered files
I think the tail command should look in /etc/pacman.d/:
~: tail -n1000 {/etc/pacman.d/,~/.}gnupg/{dirmngr,gpg}.conf
tail: cannot open '/etc/pacman.d/gnupg/dirmngr.conf' for reading: No such file or directory
==> /etc/pacman.d/gnupg/gpg.conf <==
no-greeting
no-permission-warning
lock-never
keyserver-options timeout=10
keyserver-options import-clean
keyserver-options no-self-sigs-only
tail: cannot open '/root/.gnupg/dirmngr.conf' for reading: No such file or directory
tail: cannot open '/root/.gnupg/gpg.conf' for reading: No such file or directory
Since I don't have the ~/.gnupg/dirmngr.conf file, I created it from scratch.
~: gpg --debug 1024 --keyserver http://162.213.33.9 --search-keys 'torvalds'
2023-09-06 01:14:52 dirmngr[67880] listening on socket '/root/.gnupg/S.dirmngr'
2023-09-06 01:14:52 dirmngr[67881.0] permanently loaded certificates: 144
2023-09-06 01:14:52 dirmngr[67881.0] runtime cached certificates: 0
2023-09-06 01:14:52 dirmngr[67881.0] trusted certificates: 144 (144,0,0,0)
2023-09-06 01:14:52 dirmngr[67881.6] handler for fd 6 started
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> # Home: /root/.gnupg
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> # Config: /root/.gnupg/dirmngr.conf
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> OK Dirmngr 2.2.41 at your service
2023-09-06 01:14:52 dirmngr[67881.6] connection from process 67878 (0:0)
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 <- GETINFO version
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> D 2.2.41
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> OK
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 <- KEYSERVER --clear http://162.213.33.9
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> OK
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 <- KS_SEARCH -- torvalds
2023-09-06 01:14:52 dirmngr[67881.6] resolve_dns_addr failed while checking '162.213.33.9': Server indicated a failure
2023-09-06 01:14:52 dirmngr[67881.6] number of system provided CAs: 169
2023-09-06 01:14:52 dirmngr[67881.6] can't connect to '162.213.33.9': no IP address for host
2023-09-06 01:14:52 dirmngr[67881.6] error connecting to 'http://162.213.33.9:80': Unknown host
2023-09-06 01:14:52 dirmngr[67881.6] marking host '162.213.33.9' as dead
2023-09-06 01:14:52 dirmngr[67881.6] host '162.213.33.9' marked as dead
2023-09-06 01:14:52 dirmngr[67881.6] command 'KS_SEARCH' failed: No keyserver available
Looks to me like gpg always tries to resolve the hostname, so I tried this as well:
~: gpg --debug 1024 --keyserver http://keyserver.ubuntu.com --search-keys 'torvalds'
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> ERR 167772346 No keyserver available <Dirmngr>
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 <- BYE
2023-09-06 01:14:52 dirmngr[67881.6] DBG: chan_6 -> OK closing connection
2023-09-06 01:14:52 dirmngr[67881.6] handler for fd 6 terminated
2023-09-06 01:18:11 dirmngr[67881.6] handler for fd 6 started
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> # Home: /root/.gnupg
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> # Config: /root/.gnupg/dirmngr.conf
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> OK Dirmngr 2.2.41 at your service
2023-09-06 01:18:11 dirmngr[67881.6] connection from process 68048 (0:0)
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 <- GETINFO version
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> D 2.2.41
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> OK
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 <- KEYSERVER --clear http://keyserver.ubuntu.com
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> OK
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 <- KS_SEARCH -- torvalds
2023-09-06 01:18:11 dirmngr[67881.6] command 'KS_SEARCH' failed: Server indicated a failure <Unspecified source>
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> ERR 219 Server indicated a failure <Unspecified source>
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 <- BYE
2023-09-06 01:18:11 dirmngr[67881.6] DBG: chan_6 -> OK closing connection
2023-09-06 01:18:11 dirmngr[67881.6] handler for fd 6 terminated
Offline
What if you edit/create ~/.gnupg/dirmngr.conf and add a line with the following:
standard-resolver
Offline
What if you edit/create ~/.gnupg/dirmngr.conf and add a line with the following:
standard-resolver
That leads to a successful execution of the
gpg --debug 1024 --keyserver http://keyserver.ubuntu.com --search-keys 'torvalds'
command, but my initial problem still remains:
pacman-key --refresh-keys
is producing the same errors.
Offline
You'll need that in /etc/pacman.d/gnupg/dirmngr.conf as well
Offline
I encountered the exact same issue just now, and resolved it by refreshing the keys with:
pacman-key --refresh-keys
Source: 4.3 Signature is unknown trust
Relevant command output:
gpg: key 54C28F4FF5A1A949: "David Runge <dave@********.de>" not changed
gpg: key BB992F9864FAD168: "David Runge <dave@********.de>" 1 new signature
gpg: key BB992F9864FAD168: "David Runge <dave@********.de>" 1 new subkey
gpg: Total number processed: 2
gpg: unchanged: 1
gpg: new subkeys: 1
gpg: new signatures: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 5 signed: 95 trust: 0-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2 valid: 73 signed: 28 trust: 73-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-10-27
pub rsa4096 2012-05-06 [SCA] [revoked: 2022-05-09]
91BD8815FE0040FA7FF5D68754C28F4FF5A1A949
uid [ revoked] David Runge <dave@********.de>
uid [ revoked] David Runge <dave@********.org>
uid [ revoked] David Runge <runge@********.de>
uid [ revoked] David Runge <david.runge@********.de>
Last edited by Twiki (2023-09-06 10:20:02)
Bidi-bidi-bidi-bidi.
Offline
The OP has problems talking to the keyserver, you probably just need to update more frequently and maybe the wkd timer is deactivated or the system wasn't used in a while.
In either case, that's a completely unrelated situation.
Offline
That did the trick, keys updated. Well not all, some of them seems they were old and not existing anymore.
Thanks a million both, pacman updating as usual.
Can anyone give me a clue about the "standard resolver" option? What's happening without it and what with it present?
Offline
….. , you probably just need to update more frequently …..
Bidi-bidi-bidi-bidi You sussed me.
Bidi-bidi-bidi-bidi.
Offline
To verify connectivity with the keyserver you can try (run as root) traceroute using tcp / port 80 instead of icmp echo .
# traceroute --tcp 162.213.33.9
raceroute to 162.213.33.9 (162.213.33.9), 30 hops max, 60 byte packets
1 _gateway (192.168.178.1) 0.785 ms 0.962 ms 1.114 ms
2 lo0-3.bras1.fi001.nl.freedomnet.nl (185.93.175.233) 9.507 ms 11.519 ms 11.640 ms
3 et-0-0-3-1001.core0.fi001.nl.freedomnet.nl (185.93.175.247) 40.874 ms 40.978 ms 40.965 ms
4 be30.ams-nkhf-ipr02.tnoc.nl (45.145.108.141) 12.985 ms 13.118 ms 13.909 ms
5 ce-5-0-3.a00.amstnl09.nl.bb.gin.ntt.net (81.20.64.85) 15.510 ms 15.388 ms 15.477 ms
6 ae-13.r20.amstnl07.nl.bb.gin.ntt.net (129.250.2.162) 23.406 ms 14.633 ms ae-9.r21.amstnl07.nl.bb.gin.ntt.net (129.250.2.232) 14.421 ms
7 ae-0.a01.amstnl07.nl.bb.gin.ntt.net (129.250.7.87) 19.311 ms ae-1.a01.amstnl07.nl.bb.gin.ntt.net (129.250.7.89) 14.132 ms ae-0.a01.amstnl07.nl.bb.gin.ntt.net (129.250.7.87) 29.266 ms
8 et-0-0-1-pr2.AMS.router.colt.net (80.249.208.236) 10.649 ms 12.219 ms 12.194 ms
9 193.114.170.203 (193.114.170.203) 18.615 ms 19.063 ms 19.038 ms
10 cust-BHX-BHX-E5S002885-p5-1-0.bhx-1.bir.bir.uk.colt.net (213.86.95.38) 19.782 ms 19.759 ms 19.905 ms
11 ninjask.canonical.com (91.189.93.204) 20.075 ms 20.571 ms 18.859 ms
12 keyserver.ubuntu.com (162.213.33.9) 17.764 ms * *
13 keyserver.ubuntu.com (162.213.33.9) 18.187 ms * *
#
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
@mdcclxv, bug in the internal resolver it seems. For a wild guess, disable IPv6 and try again w/o the dirmngr setting.
@Twiki, eyes forward, you'll get starsick!
Offline
@mdcclxv, bug in the internal resolver it seems. For a wild guess, disable IPv6 and try again w/o the dirmngr setting.
That I did a long time ago, almost immediately after installing Arch on my machine.
~: sysctl net.ipv6.conf.all.disable_ipv6 net.ipv6.conf.lo.disable_ipv6 net.ipv6.conf.enp1s0f0.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
sysctl: cannot stat /proc/sys/net/ipv6/conf/enp1s0f0/disable_ipv6: No such file or directory
~: stat /etc/sysctl.d/40-ipv6.conf
stat: cannot statx '/etc/sysctl.d/40-ipv6.conf': No such file or directory
Offline
Does "recursive-resolver" instead of "standard-resolver" work?
Does the explicit "--keyserver hkp://keyserver.ubuntu.com:80" work?
Anything special abotur your local resolver situation (do you use mdns in any capacity? Tor? VPN?)
Offline
With recursive-resolver I'm getting lots of "Buffer too short" errors. Where not that error, it works.
No VPN/Tor/mDNS.
It does work with hkp://...:80.
Last edited by mdcclxv (2023-09-07 22:32:16)
Offline
It does work with hkp://...:80.
Did you cross check this (ie. the same call w/ the same config failed w/o the port and then immediately succeeded after adding it)?
=> firewall?
=> proxy?
Offline