Project

General

Profile

Forums » Troubleshooting »

cannot verify signature of mkinitcpio-30-2.parabola2-any (and some packages either)

tyawp - over 2 years ago -

pacman-key cannot verify the signature of mkinicpio (https://www.parabola.nu/packages/libre/x86_64/mkinitcpio/) because it is signed with an expired subkey of Bill Auger.

# pacman-key -v mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig 
==> Checking mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig... (detached)
gpg: Signature made Sat Nov  6 11:41:54 2021 KST
gpg:                using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: Good signature from "bill-auger <bill-auger@peers.community>" [full]
gpg:                 aka "bill-auger <mr.j.spam.me@gmail.com>" [full]
gpg:                 aka "bill-auger <bill-auger@programmer.net>" [full]
gpg:                 aka "[jpeg image of size 6017]" [full]
gpg: Note: This key has expired!
Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9  7989 25DB 7D9B 5A8D 4B40
     Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7  2853 9087 1091 3E8C 7778
==> ERROR: The signature identified by mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig could not be verified.

This issue is also related with the topic: https://labs.parabola.nu/boards/5/topics/1109

linux-libre-api-header has bad signature too.

# pacman-key -v linux-libre-api-headers-5.8.13_gnu-2-x86_64.pkg.tar.xz.sig 
==> Checking linux-libre-api-headers-5.8.13_gnu-2-x86_64.pkg.tar.xz.sig... (detached)
gpg: Signature made Tue Nov 17 13:44:58 2020 KST
gpg:                using RSA key 782F9DDBE36BA7F3D4DE49065F5DFCC14177E263
gpg: Good signature from "Denis 'GNUtoo' Carikli <GNUtoo@makefreedom.org>" [unknown]
gpg:                 aka "Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>" [unknown]
gpg:                 aka "Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>" [unknown]
gpg:                 aka "Denis 'GNUtoo' Carikli <GNUtoo@riseup.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB31 DBA3 AB8D B76A 4157  329F 7651 568F 8037 4459
     Subkey fingerprint: 782F 9DDB E36B A7F3 D4DE  4906 5F5D FCC1 4177 E263
==> ERROR: The signature identified by linux-libre-api-headers-5.8.13_gnu-2-x86_64.pkg.tar.xz.sig could not be verified.

mkinitcpio-30-2.parabola2-any is signed with 0x908710913E8C7778 and it was expired at 2020-12-31T21:08:21Z according to http://pgp.cyberbits.eu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x908710913E8C7778

linux-libre-api-headers-5.8.13_gnu-2-x86_64 is signed with 0x5F5DFCC14177E263 and it was expired at 2021-08-19T07:26:03Z according to http://pgp.cyberbits.eu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x5F5DFCC14177E263
and it isn't trusted with GPG trustdb. (probably because nobody on parabola-keyring signs on Carikli's key.)

Please renew the keys on keyservers or sign packages with a key that isn't expired.