Discussion:
AUR and missing/unidentifiable GPG keys
(too old to reply)
Jeanette C. via arch-general
2017-12-08 11:16:25 UTC
Permalink
Raw Message
Hey hey,
it has happened a couple of times now, that AUR packages' GPG keys can't be
verified using aurget. Here's one example from installing the Linux realtime
kernel:
aurget -Sy linux-rt-bfq
[copious output]
patch-4.14.3-rt5.patch ... FAILED (unknown public key 4FE5E3262872E4CC)
ERROR: One or more PGP signatures could not be verified!

aurget is up to date, as pulled from the Github repo.

I know this can be circumvented by editing the pkgbuild file and removing the
verification option, but that feels wrong. Is there a systematic way to update
the relevant keys?

As for other packages that did - or still do - suffer from this issue, there's
certainly wine.

Best wishes and TIA,

Jeanette

--------
* website: http://juliencoder.de - for summer is a state of sound
* SoundCloud: https://soundcloud.com/jeanette_c

Open my eyes,
I look deep inside,
I run away... <3
(Britney Spears)
Bennett Piater
2017-12-08 11:17:59 UTC
Permalink
Raw Message
Post by Jeanette C. via arch-general
I know this can be circumvented by editing the pkgbuild file and
removing the verification option, but that feels wrong. Is there a
systematic way to update the relevant keys?
You are supposed to manually download the keys, ideally from a trusted
source.

Another option would be to configure gpg to automatically download
missing keys from a key server.

Cheers,
Bennett
--
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
Jeanette C. via arch-general
2017-12-08 11:21:36 UTC
Permalink
Raw Message
Dec 8 2017, Bennett Piater has written:
...
Thanks Bennett.
Post by Bennett Piater
Another option would be to configure gpg to automatically download
missing keys from a key server.
...
Quick tip or link of a howto? It's been ages since I set anything up
with GPG and co.

Best wishes,

Jeanette

--------
* website: http://juliencoder.de - for summer is a state of sound
* SoundCloud: https://soundcloud.com/jeanette_c

Open my eyes,
I look deep inside,
I run away... <3
(Britney Spears)
Bennett Piater
2017-12-08 11:25:03 UTC
Permalink
Raw Message
Post by Jeanette C. via arch-general
Quick tip or link of a howto? It's been ages since I set anything up
with GPG and co.
cat ~/.gnupg/gpg.conf:

[...]

# auto-key-retrieve : automatically fetch keys as needed from the
keyserver when verifying signatures or when importing keys that have
been revoked by a revocation key that is not present on the keyring.

So, add
keyserver-options auto-key-retrieve

Cheers,
Bennett
--
GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808
Jeanette C. via arch-general
2017-12-08 11:38:27 UTC
Permalink
Raw Message
Dec 8 2017, Bennett Piater has written:
...
Post by Bennett Piater
So, add
keyserver-options auto-key-retrieve
...
Thank you very much! (and I just considered leaving the list the other
day... :) )

Best wishes,

Jeanette

--------
* website: http://juliencoder.de - for summer is a state of sound
* SoundCloud: https://soundcloud.com/jeanette_c

Open my eyes,
I look deep inside,
I run away... <3
(Britney Spears)

Loading...