[multiple-packages]: signature from "Luke R. <firstname.lastname@example.org>" is unknown trust
Unable to install packages signed with email@example.com
Key has expired long time ago
$ sudo pacman-key --refresh-keys firstname.lastname@example.org && sudo pacman -S --noconfirm winetricks-libre gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net gpg: key C3F4FFCF3EAE8697: 2 duplicate signatures removed gpg: key C3F4FFCF3EAE8697: 5 signatures not checked due to missing keys gpg: key C3F4FFCF3EAE8697: 2 signatures reordered gpg: key C3F4FFCF3EAE8697: "Luke R. <email@example.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 resolving dependencies... looking for conflicting packages... Package (4) New Version Net Change Download Size community/cabextract 1.9.1-1 0.09 MiB extra/libxaw 1.0.13-2 1.71 MiB extra/xorg-xmessage 1.0.5-1 0.07 MiB libre/winetricks-libre 1.1-1 0.22 MiB 0.05 MiB Total Download Size: 0.05 MiB Total Installed Size: 2.09 MiB :: Proceed with installation? [Y/n] :: Retrieving packages... downloading winetricks-libre-1.1-1-any.pkg.tar.xz... checking keyring... checking package integrity... error: winetricks-libre: signature from "Luke R. <firstname.lastname@example.org>" is unknown trust :: File /var/cache/pacman/pkg/winetricks-libre-1.1-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n] error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded.
Did a quick grep of abslibre, other affected packaged would be:
pcr/xteddy- Done pcr/uftp- Done pcr/cmix- Done pcr/arss- Done
- pcr/vassal - Java based, should be an ANY package, doesn't work properly with current OpenJDK, requires modules from third party site, probably should be removed
pcr/ttf-montserrat- Done pcr/tcpcrypt- Done
- pcr/kommute - QT4 app looks like the source has not been kept up. Possible candidate for removal.
pcr/obmenu-generator- Done pcr/gtkhtml4- Done pcr/braincurses- Done pcr/nevow- Done pcr/check-pacman-mtree- Done
pcr/ncdc- Done pcr/rsbep- Done pcr/xdesktopwaves- Done pcr/geomorph- Done pcr/wordwarvi- Done pcr/zeronet-git- Already on my key from when I brought it more current pcr/zpaq- Done pcr/minimodem- Done pcr/penguin-command- Done pcr/yencode- Done
- Peer Guardain for Linux, No longer good for what it claims, last update in 2015 (probably because of previous point), Depends QT4, would need serious patching. Good candidate for removal
- in progress (issue #2392)
pcr/gforth- Done pcr/castle-combat- Done
- pcr/tahoe-lafs - Requires python2-argparse which is no longer available in the Repo. Not buildable without packaging python2-argparse. Possible candidate for removal.
pcr/xdgmenumaker-Done pcr/bumprace- Done pcr/biblesync- Done pcr/xwinwrap- Done
- i think this is superseded by the 'parabola-artwork' package
Updated by bill-auger 4 months ago
- Priority changed from bug to broken
- Status changed from unconfirmed to confirmed
the problem is that g4jc's key has expired; so any packages that he signed will not verify - anyone who wants to install one of them would need to either build the package with makepkg using the PKGBUILD, or download the package and install it without verification
i wrote to the mailing list about this last week; but he has not responded yet - if he does not respond soon, we should probably change the topic of the BR to "rebuild g4jc packages", and collect a list of all of his packages so that we can re-package them
a few months ago i sent email to the email address he has in hackers.git and he hasnt replied, so probably he is not reading the mailing list either - i need to rebuild the keyring sometime this week anyways because i just renewed my key, so we will handle this somehow soon
Updated by bill-auger 4 months ago
- Subject changed from winetricks-libre: signature from "Luke R. <email@example.com>" is unknown trust to [multiple-packages]: signature from "Luke R. <firstname.lastname@example.org>" is unknown trust
i just cross-referenced the list against this week's repo-lint report and it turned up a few more - i added them to the list above
That definitely would have been quicker. But in this case I think the slow and
steady approach is better a LOT of these needed some TLC. Being brought up to
day, ARM builds added, Rebuilding them will create any missing debug builds,
updateing depends so they'll even build now, Etc.
Happily almost zero of these are critical programs so I don't think there is a
huge need to just resign them all..