Project

General

Profile

Bug #2103

[linux-libre] cannot build due to missing gpg key

Added by GNUtoo 3 months ago. Updated 13 days ago.

Status:
invalid
Priority:
bug
Category:
-
Assignee:
-
% Done:

0%


Description

Hi,

I was trying to improve the linux-libre PKGBUILD by trying to fix the bug #2103, however I cannot build it:

$ sudo libremakepkg -n parabola-armv7h
[...]
 |  ==> Verifying source file signatures with gpg...
 |      linux-libre-4.19-gnu.tar.xz ... FAILED (unknown public key BCB7CF877E7D47A7)
 |      patch-4.19-gnu-4.19.2-gnu.xz ... FAILED (unknown public key BCB7CF877E7D47A7)
 |      logo_linux_clut224.ppm ... FAILED (unknown public key 227CA7C556B2BA78)
 |      logo_linux_mono.pbm ... FAILED (unknown public key 227CA7C556B2BA78)
 |      logo_linux_vga16.ppm ... FAILED (unknown public key 227CA7C556B2BA78)
 |      rcn-libre-4.19.2-armv7-x5.patch ... FAILED (unknown public key 227CA7C556B2BA78)
 |  ==> ERROR: One or more PGP signatures could not be verified!
 |  ==> ERROR: Could not download sources.

History

#1 Updated by GNUtoo 3 months ago

  • Description updated (diff)

#2 Updated by ovruni 3 months ago

  • Status changed from open to invalid

gpg --recv-keys 227CA7C556B2BA78

#3 Updated by GNUtoo 3 months ago

  • Status changed from invalid to info needed

I don't understand why running

gpg --recv-keys 227CA7C556B2BA78
would fix the issue.

I'm using libremakepkg so I would instead need to do:

$ sudo librechroot -n parabola-armv7h enter
# pacman-key --recv-keys 227CA7C556B2BA78

But this is not what I should be supposed to do: this should work automatically either after:
  • $ sudo librechroot -n parabola-armv7h update

    and/or:
  • $ sudo librechroot -A armv7h -n parabola-armv7h create

Maybe some of the keyrings need to be updated for armv7 (and maybe also for i686)?h

#4 Updated by GNUtoo 3 months ago

  • Status changed from info needed to open

#5 Updated by ovruni 3 months ago

Did you try the command that I wrote above?

#6 Updated by ovruni 3 months ago

  • Project changed from Packages to libretools

#7 Updated by GNUtoo 3 months ago

I didn't before because it didn't made sense for me at the time.

Here's the result:

[parabola@apu1 ~]$ gpg --recv-keys 227CA7C556B2BA78
gpg: key 227CA7C556B2BA78: 2 duplicate signatures removed
gpg: key 227CA7C556B2BA78: 28 signatures not checked due to missing keys
gpg: key 227CA7C556B2BA78: 2 signatures reordered
gpg: key 227CA7C556B2BA78: public key "David P. (Main email address) <megver83@megver83.ga>" imported
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-10-31
gpg: Total number processed: 1
gpg:               imported: 1

Then I retried and it failed again:
$ sudo libremakepkg -n parabola-armv7h
| ==> Verifying source file signatures with gpg... | linux-libre-4.18-gnu.tar.xz ... FAILED (unknown public key BCB7CF877E7D47A7) | patch-4.18-gnu-4.18.11-gnu.xz ... FAILED (unknown public key BCB7CF877E7D47A7)

I then tried to do it in the chroot:

$ sudo librechroot -n parabola-armv7h enter
[root@parabola /]# gpg --recv-keys 227CA7C556B2BA78

but it wound't change anything.
 |  ==> Verifying source file signatures with gpg...
 |      linux-libre-4.18-gnu.tar.xz ... FAILED (unknown public key BCB7CF877E7D47A7)
 |      patch-4.18-gnu-4.18.11-gnu.xz ... FAILED (unknown public key BCB7CF877E7D47A7)

What keyring does makepkg uses?

It wound't make sense if it had to use the build user keyring:
  • It would be up to the user to maintain the keyring for building packages. It's way better if the keyring is maintained collectively by developers.
  • It would collude with the user's personal keyring

However it would make sense if it used a temporary keyring for building packages as the keys hashes are in the packages.
This is maybe what it's supposed to do and maybe it fails for me for some reasons.
This might be the reason why you asked me to run that command and that It didn't make sense for me at first.

Denis.

#8 Updated by ovruni 3 months ago

gpg --recv-keys BCB7CF877E7D47A7

#9 Updated by GNUtoo 3 months ago

Sorry, somehow I missed that there was multiple keys and signatures.
It now works after adding both keys outside of the librechroot:

 |  ==> Verifying source file signatures with gpg...
 |      linux-libre-4.19-gnu.tar.xz ... Passed
 |      patch-4.19-gnu-4.19.2-gnu.xz ... Passed

I'm still unsure how this is supposed to be handled. I'll ask around if there is some documentation or convention on what the user building packages is expected to do, and how libremakepkg is supposed to deal with gpg keys storage and retrieval.

Thanks a lot for your help.

Denis.

#10 Updated by Megver83 13 days ago

  • Status changed from open to invalid

GNUtoo wrote:

Sorry, somehow I missed that there was multiple keys and signatures.
It now works after adding both keys outside of the librechroot:
[...]

I'm still unsure how this is supposed to be handled. I'll ask around if there is some documentation or convention on what the user building packages is expected to do, and how libremakepkg is supposed to deal with gpg keys storage and retrieval.

Thanks a lot for your help.

Denis.

libremakepkg reads the keys from the running user's keyring. Not pacman-keyring (that is for pkgs), since this is for source files.

This is a typical error among newbies, I wouldn't report an issue regarding source signatures unless the files have wrong signs. You can always check with gpg --verify $file

Also available in: Atom PDF