Project

General

Profile

Bug #2405

[multiple-packages]: signature from "Luke R. <g4jc@openmailbox.org>" is unknown trust

HEX0 - over 4 years ago - . Updated about 4 years ago.

Status:
in progress
Priority:
broken
Assignee:
-
% Done:

0%


Description

Unable to install packages signed with
Key has expired long time ago

$ sudo pacman-key --refresh-keys g4jc@openmailbox.org && sudo pacman -S --noconfirm winetricks-libre
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: key C3F4FFCF3EAE8697: 2 duplicate signatures removed
gpg: key C3F4FFCF3EAE8697: 5 signatures not checked due to missing keys
gpg: key C3F4FFCF3EAE8697: 2 signatures reordered
gpg: key C3F4FFCF3EAE8697: "Luke R. <g4jc@openmailbox.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
resolving dependencies...
looking for conflicting packages...

Package (4)             New Version  Net Change  Download Size

community/cabextract    1.9.1-1        0.09 MiB               
extra/libxaw            1.0.13-2       1.71 MiB               
extra/xorg-xmessage     1.0.5-1        0.07 MiB               
libre/winetricks-libre  1.1-1          0.22 MiB       0.05 MiB

Total Download Size:   0.05 MiB
Total Installed Size:  2.09 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
downloading winetricks-libre-1.1-1-any.pkg.tar.xz...
checking keyring...
checking package integrity...
error: winetricks-libre: signature from "Luke R. <g4jc@openmailbox.org>" is unknown trust
:: File /var/cache/pacman/pkg/winetricks-libre-1.1-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] error: failed to commit transaction (invalid or corrupted package (PGP signature))

Errors occurred, no packages were upgraded.


Related issues

Related to Packages - Privacy Issue #2627: [networkmanager-hardened-configs][tor-hardened-preferences] Fake signatures?fixed

Actions

History

#1

Updated by freemor over 4 years ago

Did a quick grep of abslibre, other affected packaged would be:

  • pcr/xteddy - Done
  • pcr/uftp - Done
  • pcr/cmix - Done
  • pcr/arss - Done
  • pcr/vassal - Java based, should be an ANY package, doesn't work properly with current OpenJDK, requires modules from third party site, probably should be removed
  • pcr/ttf-montserrat - Done
  • pcr/tcpcrypt - Done
  • pcr/kommute - QT4 app looks like the source has not been kept up. Possible candidate for removal.
  • pcr/obmenu-generator - Done
  • pcr/gtkhtml4 - Done
  • pcr/braincurses - Done
  • pcr/nevow - Done
  • pcr/check-pacman-mtree - Done
  • pcr/ledger-git
  • pcr/ncdc - Done
  • pcr/rsbep - Done
  • pcr/xdesktopwaves - Done
  • pcr/geomorph - Done
  • pcr/wordwarvi - Done
  • pcr/zeronet-git - Already on my key from when I brought it more current
  • pcr/zpaq - Done
  • pcr/minimodem - Done
  • pcr/penguin-command - Done
  • pcr/yencode - Done
  • pcr/pgl
    - Peer Guardain for Linux, No longer good for what it claims, last update in 2015 (probably because of previous point), Depends QT4, would need serious patching. Good candidate for removal
  • pcr/kurso-de-esperanto
    - in progress (issue #2392)
  • pcr/gforth - Done
  • pcr/castle-combat - Done
  • pcr/tahoe-lafs - Requires python2-argparse which is no longer available in the Repo. Not buildable without packaging python2-argparse. Possible candidate for removal.
  • pcr/xdgmenumaker -Done
  • pcr/bumprace - Done
  • pcr/biblesync - Done
  • pcr/xwinwrap - Done
  • pcr/base91
  • libre/xtensa-elf-binutils
  • libre/icecat-no-resource-uri-leak
  • libre/winetricks-libre - Done
  • pcr-testing/kurso-de-esperanto
  • nonprism/tor-hardened-preferences
  • nonprism/iceweasel-hardened-preferences
  • nonprism/icedove-hardened-preferences
  • nonprism/networkmanager-hardened-configs
  • libre-multilib-testing/gcc-multilib
  • libre-multilib-testing/lib32-glibc
  • unmaintained/parabola-backgrounds
    - i think this is superseded by the 'parabola-artwork' package
  • pcr/antimicro
  • pcr/imule
  • pcr/tong
  • pcr/vislcg3
  • pcr/yacy
  • pcr/zpaq - Duplicate
#2

Updated by bill-auger over 4 years ago

  • Priority changed from bug to broken
  • Status changed from unconfirmed to confirmed

the problem is that g4jc's key has expired; so any packages that he signed will not verify - anyone who wants to install one of them would need to either build the package with makepkg using the PKGBUILD, or download the package and install it without verification

i wrote to the mailing list about this last week; but he has not responded yet - if he does not respond soon, we should probably change the topic of the BR to "rebuild g4jc packages", and collect a list of all of his packages so that we can re-package them

a few months ago i sent email to the email address he has in hackers.git and he hasnt replied, so probably he is not reading the mailing list either - i need to rebuild the keyring sometime this week anyways because i just renewed my key, so we will handle this somehow soon

#3

Updated by freemor over 4 years ago

  • % Done changed from 0 to 10
  • Status changed from confirmed to in progress

k, got a couple done will continue tomorrow.. busy now

#4

Updated by freemor over 4 years ago

  • % Done changed from 10 to 20
#5

Updated by freemor over 4 years ago

  • % Done changed from 20 to 30
#6

Updated by bill-auger over 4 years ago

  • Subject changed from winetricks-libre: signature from "Luke R. <g4jc@openmailbox.org>" is unknown trust to [multiple-packages]: signature from "Luke R. <g4jc@openmailbox.org>" is unknown trust

i just cross-referenced the list against this week's repo-lint report and it turned up a few more - i added them to the list above

#7

Updated by freemor over 4 years ago

  • % Done changed from 30 to 40

Good catch bill-auger.

Knocked off several more. Hopefully the addition of Updates, debug builds (now automatic) and adding ARM builds to some will lower the linter count as this process goes on.

Time for Lunch

#8

Updated by freemor over 4 years ago

  • % Done changed from 40 to 70

Couple more but that's it for me for today.

#9

Updated by oaken-source over 4 years ago

you know, the last time this happened, I wrote a script that would simply re-sign all the affected packages with the autobuilders key ;)

#10

Updated by freemor over 4 years ago

That definitely would have been quicker. But in this case I think the slow and
steady approach is better a LOT of these needed some TLC. Being brought up to
day, ARM builds added, Rebuilding them will create any missing debug builds,
updateing depends so they'll even build now, Etc.

Happily almost zero of these are critical programs so I don't think there is a
huge need to just resign them all..

#11

Updated by freemor over 4 years ago

Also they are mostly quite small to build quickly one the TLC is done. It's a
nice change of pace from Blender/Ice* type builds.

#12

Updated by bill-auger over 4 years ago

also, in this particular case, probably all of these packages
were over-due for an upgrade

#13

Updated by freemor about 4 years ago

yacy done and struck off

#14

Updated by freemor about 4 years ago

  • Related to Privacy Issue #2627: [networkmanager-hardened-configs][tor-hardened-preferences] Fake signatures? added

Also available in: Atom PDF