[SOLVED] makepkg --verifysource signature failure

loqs · 2024-03-12 15:50:43

$ makepkg --verifysource 
==> Making package: python-pyusb 1.2.1-4 (Tue 12 Mar 2024 15:45:47 UTC)
==> Retrieving sources...
  -> Updating pyusb git repo...
==> Validating source files with sha512sums...
    pyusb ... Skipped
==> Verifying source file signatures with gpg...
    pyusb git repo ... %s is unable to verify the signature.
git
==> ERROR: One or more PGP signatures could not be verified!
$ makepkg -Codd --skippgpcheck 
==> Making package: python-pyusb 1.2.1-4 (Tue 12 Mar 2024 15:47:12 UTC)
==> WARNING: Skipping dependency checks.
==> Retrieving sources...
  -> Updating pyusb git repo...
==> WARNING: Skipping verification of source file PGP signatures.
==> Validating source files with sha512sums...
    pyusb ... Skipped
==> Removing existing $srcdir/ directory...
==> Extracting sources...
  -> Creating working copy of pyusb git repo...
Cloning into 'pyusb'...
done.
Switched to a new branch 'makepkg'
==> Sources are ready.
$ cd src/pyusb/
$ git tag -v v1.2.1
object 7f3638b7c296ac8153bbff369f8a7c0e28907153
type commit
tag v1.2.1
tagger Jonas Malaco <jonas@protocubo.io> 1625799410 -0300

Version 1.2.1
gpg: Signature made Fri 09 Jul 2021 03:56:50 BST
gpg:                using RSA key E85FE39F6A144827869F9A7745F0AD783D788A6D
gpg: Good signature from "Jonas Tadeu Silva Malaco Filho <jonas@jonasmalaco.com>" [unknown]
gpg:                 aka "Jonas Tadeu Silva Malaco Filho <jonasmalacofilho@usp.br>" [unknown]
gpg:                 aka "Jonas Tadeu Silva Malaco Filho <jonas@elebeta.com.br>" [unknown]
gpg:                 aka "Jonas Tadeu Silva Malaco Filho <jonasmalacofilho@gmail.com>" [unknown]
gpg:                 aka "Jonas Tadeu Silva Malaco Filho <jonas@protocubo.io>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 23F3 35ED 4E82 9797 734B  22F6 5841 AF74 06AF 7AD0
     Subkey fingerprint: E85F E39F 6A14 4827 869F  9A77 45F0 AD78 3D78 8A6D

Last edited by loqs (2024-03-12 17:40:03)

Scimmia · 2024-03-12 16:08:24

That expired key would probably do it

loqs · 2024-03-12 17:04:44

Scimmia wrote:

That expired key would probably do it

$ gpg --list-keys -v 45F0AD783D788A6D
gpg: enabled compatibility flags:
gpg: using pgp trust model
gpg: Note: signature key 45F0AD783D788A6D expired 2021-09-13 16:25:20
pub   rsa4096 2013-11-29 [SC]
      23F335ED4E829797734B22F65841AF7406AF7AD0
uid           [ unknown] Jonas Tadeu Silva Malaco Filho <jonas@jonasmalaco.com>
uid           [ unknown] Jonas Tadeu Silva Malaco Filho <jonasmalacofilho@usp.br>
uid           [ unknown] Jonas Tadeu Silva Malaco Filho <jonas@elebeta.com.br>
uid           [ unknown] Jonas Tadeu Silva Malaco Filho <jonasmalacofilho@gmail.com>
uid           [ unknown] Jonas Tadeu Silva Malaco Filho <jonas@protocubo.io>
sub   rsa3072 2013-11-29 [S] [expired: 2021-09-13]
sub   rsa3072 2013-11-29 [E] [expired: 2021-09-13]

Sure enough setting the system time back to "2021-09-01 16:25:20" and ` makepkg --verifysource` passes.
Edit:
https://gitlab.archlinux.org/archlinux/ … -/issues/1

Last edited by loqs (2024-03-12 17:41:14)

Allan · 2024-03-12 23:40:15

What version of pacman are you using? I reverted stuff so expired keys should not do that with the 6.1 release, and fixed the error message...\

Edit: I assume this is the 6.0.x version from Arch which has a ridiculous backport still for a patch that was partially reverted...

loqs · 2024-03-13 04:58:01

$ pacman -Q pacman
pacman 6.0.2-9

Arch Linux

#1 2024-03-12 15:50:43

[SOLVED] makepkg --verifysource signature failure

#2 2024-03-12 16:08:24

Re: [SOLVED] makepkg --verifysource signature failure

#3 2024-03-12 17:04:44

Re: [SOLVED] makepkg --verifysource signature failure

#4 2024-03-12 23:40:15

Re: [SOLVED] makepkg --verifysource signature failure

#5 2024-03-13 04:58:01

Re: [SOLVED] makepkg --verifysource signature failure

Board footer