Project

General

Profile

Housekeeping #2925

signature from bill-auger is unknown trust

laust - 23 days ago - . Updated 3 days ago.

Status:
fixed
Priority:
bug
Assignee:
-
% Done:

0%


Description

I'm trying to install on a x86_64 laptop, but keep bumping on the same issue. Signature is unknown trust for bill-auger.

The usual operations of clearing the cache, initializing, populating, and refreshing the keyring don't work.

At this step (pacstrap base libelogind), the concerned packages are:
  • filesystem
  • linux-libre-api-headers
  • libp11-kit
  • p11-kit
  • util-linux-libs
  • pacman-mirrorlist
  • util-linux
  • licences

Since bill-auger's key has recently expired, I suppose it's not an issue with my system.


Files

2925-chat-log.txt (5.16 KB) 2925-chat-log.txt Chat log about Parabola keyring with bill-auger davisr, 2020-11-15 06:28 PM

Related issues

Related to Packages - Bug #2931: [parabola-hackers]: keys are "unknown trust" after expiry/renewalin progress

Actions

History

#1

Updated by antalepo 22 days ago

Can confirm, it hasn't worked for two days for me. Are there any quick/temporary workarounds?

#2

Updated by bill-auger 22 days ago

there is a known recurring bug in the keyring builder;
which recurred yesterday

there will be temporary interruption in the normal pacman
service today

#3

Updated by bill-auger 22 days ago

  • Status changed from open to in progress
  • Subject changed from Signature issues during installation to signature from bill-auger is unknown trust
#4

Updated by antalepo 21 days ago

The issue is resolved for me now, thanks :)

#5

Updated by bill-auger 20 days ago

antalepo -

for the benefit of curious others, could you explain the how
issue is resolved for you now?

#6

Updated by antalepo 20 days ago

Right, sorry. I tried installing the affected packages again in the same way, and the signature checks passed. I assumed you fixed something on the server side. Nevertheless, the issue is back again today.

While the issue was present I was still able to install the affected packages by changing the following settings in the live ISO's /etc/pacman.conf:
[options]
SigLevel = Never
LocalFileSigLevel = Never

... which disables the signature checks. This is obviously a huge security risk, and it might've been foolish of me, but whatever. I didn't think the mirrors would serve malicious packages, and I was right (like I said above, they later passed the checks). I do not have these settings on my installed system.

To be clear, the issue was temporarily resolved from around the time of my last post to at least a while later. This was not related to me changing my config.

#7

Updated by infinite_recursion 19 days ago

Facing this issue in installing packages for ARMv7.

#8

Updated by antalepo 16 days ago

bill-auger wrote:

there is a known recurring bug in the keyring builder;
which recurred yesterday

there will be temporary interruption in the normal pacman
service today

This doesn't seem to have solved it. Do we know what the bug is, and if so, how do we fix it? Can I help?

#9

Updated by Mampir 15 days ago

I've noticed the same problems on 2 machines since 10 days ago. The problem still remains. One thing not mentioned yet is that 'pacman --refresh-keys' doesn't work:

sudo pacman-key --refresh-keys 
gpg: refreshing 152 keys from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: General error
==> ERROR: A specified local key could not be updated from a keyserver.

Not sure if the problems are related. Specifying a key server with '--keyserver hkp://pool.sks-keyservers.net' seems to refresh some keys, but after that the 'Signature from bill-auger is unknown trust' problem remains.

Is there a workaround that doesn't involve disabling the package signature checks?

#10

Updated by davisr 14 days ago

I posted this in IRC on #parabola last night, but I want to repeat it here because it allowed me to successfully update my packages. Skip to the bottom for steps for resolution.

I was trying to do an update, and I received the message,

error: pacman-mirrorlist: signature from "bill-auger <" is unknown trust.

==> ERROR: The signature identified by pacman-mirrorlist-20201002-1.parabola1-any.pkg.tar.xz.sig could not be verified.

I also was unable to refresh the keys with pacman-key --refresh-keys. Thinking it was the keyserver's fault, I tried pacman-key --refresh-keys --keyserver hkp://keyserver.ubuntu.com and it did not refresh bill-auger's key.

I looked in the Parabola wiki, and found this page which suggested to reset the Parabola keyring (https://wiki.parabola.nu/Parabola_Keyring). I reset the keyring, but did not affect the problem.

In order to figure out what failed exactly, I downloaded the "broken" package (.tar.xz) plus its PGP signature (.sig) from http://repo.parabola.nu/libre/os/armv7h/ (my platform is armv7h). I did a pacman-key --list-keys bill-auger@peers.community and the key looked fine, but that it was expiring soon (only five days into the future).

pub   rsa2048 2016-11-30 [SCEA] [expires: 2020-11-19]
      3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40
uid           [  full  ] bill-auger <bill-auger@peers.community>
uid           [  full  ] bill-auger <mr.j.spam.me@gmail.com>
uid           [  full  ] bill-auger <bill-auger@programmer.net>
uid           [  full  ] [jpeg image of size 6017]
sub   rsa2048 2016-11-30 [SEA] [expires: 2020-11-19]

I then did a pacman-key --verify pacman-mirrorlist-20201002-1.parabola1-any.pkg.tar.xz.sig to check the sig of my broken package, and it told me the signing key was expired.

==> Checking pacman-mirrorlist-20201002-1.parabola1-any.pkg.tar.xz.sig... (detac
hed)
gpg: Signature made Fri 02 Oct 2020 10:19:04 AM UTC
gpg:                using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: Good signature from "bill-auger <bill-auger@peers.community>" [full]
gpg:                 aka "bill-auger <mr.j.spam.me@gmail.com>" [full]
gpg:                 aka "bill-auger <bill-auger@programmer.net>" [full]
gpg:                 aka "[jpeg image of size 6017]" [full]
gpg: Note: This key has expired!
Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9  7989 25DB 7D9B 5A8D 4B40
     Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7  2853 9087 1091 3E8C 7778
==> ERROR: The signature identified by pacman-mirrorlist-20201002-1.parabola1-an
y.pkg.tar.xz.sig could not be verified.

The package was signed using the subkey 3E8C7778, which expired four days ago (2020-11-10). http://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xFBCC5AD7421197B7ABA72853908710913E8C7778

So, assuming the verification failed due to this expired key, I disabled network access (but one could just stop timedatectl, too--my communication was via serial port) then reset my date to November 1, 2020 with date --set="2020-11-01 00:00". This allowed verification to continue.

Resolution

So, in order to resolve this verification failure, I took the following steps to update my packages:

  1. Try to upgrade and fail
  2. Reset the date to 2020-11-01
  3. Continue upgrade with packages from cache
  4. Set date back to "now"

Additional Notes

bill-auger states that this ticket is just a symptom of a different issue with the keyring. This is explained further in the IRC chatlog, which is attached. Resetting the date works around verification, but him re-signing that key is not a final solution.

its an old known problem with the keyring package

#11

Updated by bill-auger 14 days ago

ignoring the signatures is not the best work-around though; and it can not be recommended

davisr found a clever work-around, which verifies all signatures properly, though - that is to set the system clock to a date before the expiry (2020-11-06) before installing the troublesome packages

one could o/c download each package and verify the signatures manually, without making any changes to the host system

its an old known problem with the keyring package

yes, it could have had i dedicated bug report many months ago - there have been multiple BRs like this one; because of the same root cause - i just opened a new ticket for it #2931

#12

Updated by bill-auger 14 days ago

  • Related to Bug #2931: [parabola-hackers]: keys are "unknown trust" after expiry/renewal added
#13

Updated by bill-auger 9 days ago

  • Related to deleted (Bug #2931: [parabola-hackers]: keys are "unknown trust" after expiry/renewal)
#14

Updated by bill-auger 9 days ago

  • Parent task set to #2931
#15

Updated by bill-auger 9 days ago

  • Parent task deleted (#2931)
#16

Updated by bill-auger 9 days ago

  • Related to Bug #2931: [parabola-hackers]: keys are "unknown trust" after expiry/renewal added
#17

Updated by bill-auger 3 days ago

  • Status changed from in progress to fixed

Also available in: Atom PDF