Can not install qtile-extras PGP signature could not be verified

Efka · 2024-07-08 06:40:24

Hi, im trying to install qtile-extras from AUR but having issues.

git clone [url]https://aur.archlinux.org/qtile-extras.git[/url]

cd qtile-extras

makepkg -si

and i get this:

ERROR: One or more PGP signatures could not be verified

So lets import this key, open PKBUILD check the key

nvim PKGBUILD

sudo pacman-key --recv-keys A6BAA1E17D2664ADB97B2C6F58A9AA7C86727DF7

sudo pacman-key --finger A6BAA1E17D2664ADB97B2C6F58A9AA7C86727DF7

pacman-key --lsign-key  A6BAA1E17D2664ADB97B2C6F58A9AA7C86727DF7

makepkg -si

ERROR: One or more PGP signatures could not be verified

Tried only

58A9AA7C86727DF7

Still same.
Tried

sudo pacman-key --init & pacman-key --populate

event added archlinux after

populate

- same issue.
What im doing wrong ?
P.s. fresh Arch Linux install. apart Qtile , kitty , pcmanfm and Firefox - no other things installed
Thanks!

mpan · 2024-07-08 07:02:08

Hello.

Pacman keyring and pacman-key deal with package signatures. The already built packages to be installed.

The error you see comes from makepkg. makepkg downloads sources and then verifies their signatures. It does so using your own, private keyring. In other words, the key must be in your own keyring.

You don’t have to mark that key as trusted or sign it. Its presence in validpgpkeys instructs makepkg to assume it’s trusted.

Verifying authenticity of the source can be skipped using the `--skippgpcheck` option to makepkg. With all the security implications, hence — if possible — this shouldn’t be used.

See makepkg: signature checking in Arch Wiki.

Efka · 2024-07-08 07:36:57

mpan wrote:

Hello.
Pacman keyring and pacman-key deal with package signatures. The already built packages to be installed.
The error you see comes from makepkg. makepkg downloads sources and then verifies their signatures. It does so using your own, private keyring. In other words, the key must be in your own keyring.
You don’t have to mark that key as trusted or sign it. Its presence in validpgpkeys instructs makepkg to assume it’s trusted.
Verifying authenticity of the source can be skipped using the `--skippgpcheck` option to makepkg. With all the security implications, hence — if possible — this shouldn’t be used.
See makepkg: signature checking in Arch Wiki.

If i understand correctly - to install qtile-extras just use --skippgpcheck ? or create my own ?
P.s. i usually avoid using helpers but PARU installed qtile-extras.
So now i can just delete that key which i imported ?

mpan · 2024-07-08 08:23:16

You can use `--skippgpcheck` to not verify the sources. But you should not, if possible, as this way you can’t verify authenticity of the sources.

Just import or receive the key to your user’s keyring.

The key you imported to pacman’s keyring may be deleted.

Efka · 2024-07-08 08:49:42

mpan wrote:

You can use `--skippgpcheck` to not verify the sources. But you should not, if possible, as this way you can’t verify authenticity of the sources.
Just import or receive the key to your user’s keyring.
The key you imported to pacman’s keyring may be deleted.

So instead of pacman-key --recv-keys i needed to use gpg --receive-keys ?

As per 3.5.2 Searching and receiving keys

Or im completely lost ?
Last time i needed to import key was ages ago ...

Lone_Wolf · 2024-07-08 11:22:59

So instead of pacman-key --recv-keys i needed to use gpg --receive-keys ?
As per 3.5.2 Searching and receiving keys

Also look at 3.5.3 as keyservers only have a subset of published keys, so you may need to try several before finding one that has it.

Efka · 2024-07-12 02:37:08

Lone_Wolf wrote:

So instead of pacman-key --recv-keys i needed to use gpg --receive-keys ?
As per 3.5.2 Searching and receiving keys
Also look at 3.5.3 as keyservers only have a subset of published keys, so you may need to try several before finding one that has it.

Got it.
Thank You.

Arch Linux

#1 2024-07-08 06:40:24

Can not install qtile-extras PGP signature could not be verified

#2 2024-07-08 07:02:08

Re: Can not install qtile-extras PGP signature could not be verified

#3 2024-07-08 07:36:57

Re: Can not install qtile-extras PGP signature could not be verified

#4 2024-07-08 08:23:16

Re: Can not install qtile-extras PGP signature could not be verified

#5 2024-07-08 08:49:42

Re: Can not install qtile-extras PGP signature could not be verified

#6 2024-07-08 11:22:59

Re: Can not install qtile-extras PGP signature could not be verified

#7 2024-07-12 02:37:08

Re: Can not install qtile-extras PGP signature could not be verified

Board footer