Bug #2103
[linux-libre] cannot build due to missing gpg key
0%
Description
Hi,
I was trying to improve the linux-libre PKGBUILD by trying to fix the bug #2103, however I cannot build it:
$ sudo libremakepkg -n parabola-armv7h [...] | ==> Verifying source file signatures with gpg... | linux-libre-4.19-gnu.tar.xz ... FAILED (unknown public key BCB7CF877E7D47A7) | patch-4.19-gnu-4.19.2-gnu.xz ... FAILED (unknown public key BCB7CF877E7D47A7) | logo_linux_clut224.ppm ... FAILED (unknown public key 227CA7C556B2BA78) | logo_linux_mono.pbm ... FAILED (unknown public key 227CA7C556B2BA78) | logo_linux_vga16.ppm ... FAILED (unknown public key 227CA7C556B2BA78) | rcn-libre-4.19.2-armv7-x5.patch ... FAILED (unknown public key 227CA7C556B2BA78) | ==> ERROR: One or more PGP signatures could not be verified! | ==> ERROR: Could not download sources.
History
Updated by ovruni over 5 years ago
- Status changed from open to not-a-bug
gpg --recv-keys 227CA7C556B2BA78
Updated by GNUtoo over 5 years ago
- Status changed from not-a-bug to info needed
I don't understand why running
gpg --recv-keys 227CA7C556B2BA78would fix the issue.
I'm using libremakepkg so I would instead need to do:
$ sudo librechroot -n parabola-armv7h enter # pacman-key --recv-keys 227CA7C556B2BA78But this is not what I should be supposed to do: this should work automatically either after:
$ sudo librechroot -n parabola-armv7h update
and/or:$ sudo librechroot -A armv7h -n parabola-armv7h create
Maybe some of the keyrings need to be updated for armv7 (and maybe also for i686)?h
Updated by GNUtoo over 5 years ago
I didn't before because it didn't made sense for me at the time.
Here's the result:
[parabola@apu1 ~]$ gpg --recv-keys 227CA7C556B2BA78 gpg: key 227CA7C556B2BA78: 2 duplicate signatures removed gpg: key 227CA7C556B2BA78: 28 signatures not checked due to missing keys gpg: key 227CA7C556B2BA78: 2 signatures reordered gpg: key 227CA7C556B2BA78: public key "David P. (Main email address) <megver83@megver83.ga>" imported gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2020-10-31 gpg: Total number processed: 1 gpg: imported: 1
Then I retried and it failed again:
$ sudo libremakepkg -n parabola-armv7h| ==> Verifying source file signatures with gpg... | linux-libre-4.18-gnu.tar.xz ... FAILED (unknown public key BCB7CF877E7D47A7) | patch-4.18-gnu-4.18.11-gnu.xz ... FAILED (unknown public key BCB7CF877E7D47A7)
I then tried to do it in the chroot:
$ sudo librechroot -n parabola-armv7h enter [root@parabola /]# gpg --recv-keys 227CA7C556B2BA78
but it wound't change anything.
| ==> Verifying source file signatures with gpg... | linux-libre-4.18-gnu.tar.xz ... FAILED (unknown public key BCB7CF877E7D47A7) | patch-4.18-gnu-4.18.11-gnu.xz ... FAILED (unknown public key BCB7CF877E7D47A7)
What keyring does makepkg uses?
It wound't make sense if it had to use the build user keyring:- It would be up to the user to maintain the keyring for building packages. It's way better if the keyring is maintained collectively by developers.
- It would collude with the user's personal keyring
However it would make sense if it used a temporary keyring for building packages as the keys hashes are in the packages.
This is maybe what it's supposed to do and maybe it fails for me for some reasons.
This might be the reason why you asked me to run that command and that It didn't make sense for me at first.
Denis.
Updated by GNUtoo over 5 years ago
Sorry, somehow I missed that there was multiple keys and signatures.
It now works after adding both keys outside of the librechroot:
| ==> Verifying source file signatures with gpg... | linux-libre-4.19-gnu.tar.xz ... Passed | patch-4.19-gnu-4.19.2-gnu.xz ... Passed
I'm still unsure how this is supposed to be handled. I'll ask around if there is some documentation or convention on what the user building packages is expected to do, and how libremakepkg is supposed to deal with gpg keys storage and retrieval.
Thanks a lot for your help.
Denis.
Updated by Megver83 over 5 years ago
- Status changed from open to not-a-bug
GNUtoo wrote:
Sorry, somehow I missed that there was multiple keys and signatures.
It now works after adding both keys outside of the librechroot:
[...]I'm still unsure how this is supposed to be handled. I'll ask around if there is some documentation or convention on what the user building packages is expected to do, and how libremakepkg is supposed to deal with gpg keys storage and retrieval.
Thanks a lot for your help.
Denis.
libremakepkg reads the keys from the running user's keyring. Not pacman-keyring (that is for pkgs), since this is for source files.
This is a typical error among newbies, I wouldn't report an issue regarding source signatures unless the files have wrong signs. You can always check with gpg --verify $file