You are not logged in.

Pages: 1

#1 2024-12-20 01:06:40

stanksy
Member
Registered: 2024-12-20
Posts: 3

Pierre's key does not appear to be signed by anyof the master keys

i followed the instructions in the installation guide. i downloaded the iso and the respective iso sig from mit.edu mirror. then i ran this command 'gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig' which returned this to the terminal:

"gpg: assuming signed data in 'archlinux-2024.12.01-x86_64.iso'
gpg: Signature made Sat 30 Nov 2024 09:50:47 PM PST
gpg:                using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg:                issuer "pierre@archlinux.org"
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [unknown]
gpg:                 aka "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: The key's User ID is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C
"

then i ran 'gpg --list-sigs 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C' which returned this to the termial:

"pub   ed25519 2022-10-31 [SC] [expires: 2037-10-27]
      3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
uid           [ unknown] Pierre Schmitz <pierre@archlinux.org>
sig 3        76A5EF9054449A5C 2022-10-31  [self-signature]
uid           [ unknown] Pierre Schmitz <pierre@archlinux.de>
sig 3        76A5EF9054449A5C 2022-10-31  [self-signature]
sub   ed25519 2022-10-31 [A] [expires: 2037-10-27]
sig          76A5EF9054449A5C 2022-10-31  [self-signature]
sub   cv25519 2022-10-31 [E] [expires: 2037-10-27]
sig          76A5EF9054449A5C 2022-10-31  [self-signature]
"

this page https://archlinux.org/master-keys/ says that his key should be signed by at least three master keys, and indicates that his is signed by all five master keys, yet the output from 'gpg --list-sigs' command indicates that it is not signed by any of the master keys. i suppose that there is a good explanation for this, i just do not know what it is. i am interested to find out though. thank you!

Offline

#2 2024-12-20 01:29:04

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,488
Website

Re: Pierre's key does not appear to be signed by anyof the master keys

You have no downloaded any of the signatures.  Try adding "--keyserver-options no-self-sigs-only" to your gpg command.

PGP Key: F99FFE0FEAE999BD | I develop pacman - buy me a drink!

Online

#3 2024-12-20 02:36:46

stanksy
Member
Registered: 2024-12-20
Posts: 3

Re: Pierre's key does not appear to be signed by anyof the master keys

Allan wrote:

You have no downloaded any of the signatures.  Try adding "--keyserver-options no-self-sigs-only" to your gpg command.

thank you for the reply. i guess i must still be doing something wrong.

i ran:

'gpg --keyserver hkps://keys.openpgp.org --recv-keys --keyserver-options no-self-sigs-only 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C'

which returned:

'gpg: key 76A5EF9054449A5C: "Pierre Schmitz <pierre@archlinux.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1'

then when i ran 'gpg --list-sigs 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C' it returned the same output that i posted previously:

'pub   ed25519 2022-10-31 [SC] [expires: 2037-10-27]
      3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
uid           [ unknown] Pierre Schmitz <pierre@archlinux.org>
sig 3        76A5EF9054449A5C 2022-10-31  [self-signature]
uid           [ unknown] Pierre Schmitz <pierre@archlinux.de>
sig 3        76A5EF9054449A5C 2022-10-31  [self-signature]
sub   ed25519 2022-10-31 [A] [expires: 2037-10-27]
sig          76A5EF9054449A5C 2022-10-31  [self-signature]
sub   cv25519 2022-10-31 [E] [expires: 2037-10-27]
sig          76A5EF9054449A5C 2022-10-31  [self-signature]'

i then tried 'gpg --refresh-keys 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C' but still got the same output.

any additional advice is greatly appreciated. thanks!

Offline

#4 2024-12-20 03:23:18

Scimmia
Fellow
Registered: 2012-09-01
Posts: 12,323

Re: Pierre's key does not appear to be signed by anyof the master keys

There is no problem here. The signature was verified, the only thing you're doing wrong is assuming there's a problem.

Offline

#5 2024-12-20 05:01:05

stanksy
Member
Registered: 2024-12-20
Posts: 3

Re: Pierre's key does not appear to be signed by anyof the master keys

Scimmia wrote:

There is no problem here. The signature was verified, the only thing you're doing wrong is assuming there's a problem.

are you implying that i am misinterpreting what it says on this page? https://archlinux.org/master-keys/

i suppose that could be the case, but it is worded pretty explicitly:

"All official Arch Linux developers and package maintainers should have their key signed by at least three master keys if they are responsible for packaging software in the repositories. This is in accordance with the PGP web of trust concept."

unless i am doing something wrong at the command-line, his key is not signed by any of the master keys. even though that same page i referenced above says that it is signed by all five. what is the point of doing all of this validating and verifying with gpg if they aren't even following their own web of trust model? like i said, if i am doing something wrong at the command line, please enlighten me. otherwise it just seems like a false sense of security.

Offline

#6 2024-12-20 08:48:32

Head_on_a_Stick
Member
From: The Wirral
Registered: 2014-02-20
Posts: 8,738
Website

Re: Pierre's key does not appear to be signed by anyof the master keys

Sign Pierre's key with your own to incorporate it into your web of trust and eliminate the warning.

Para todos todo, para nosotros nada

Offline

#7 2024-12-20 10:37:09

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 13,245

Re: Pierre's key does not appear to be signed by anyof the master keys

The master keys are needed for verifying packages, you are trying to verify the installation iso .

Re-read https://wiki.archlinux.org/title/Instal … _signature , especially the colored textbox.

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#8 2024-12-20 11:52:14

Scimmia
Fellow
Registered: 2012-09-01
Posts: 12,323

Re: Pierre's key does not appear to be signed by anyof the master keys

stanksy wrote:

what is the point of doing all of this validating and verifying with gpg if they aren't even following their own web of trust model?

Have you met the master key holders and signed their keys? No? Then there is no web of trust here; all you're doing is verifying a signature, nothing more.

The web of trust is used by pacman to verify packages with a completely separate keyring. gpg stopped pulling signatures from keyservers years ago when people started poisoning keys with mass sigs. Some keyservers even dropped external sigs altogether, including the one you're using.

Offline

Pages: 1

Board footer

Powered by FluxBB