Bug #3131

libre/mkinitcpio: source code missing in abslibre + signature failing due to expired key

GNUtoo - 6 days ago - . Updated 6 days ago.

% Done:




While upgrading my system I have:

error: mkinitcpio: signature from "bill-auger <>" is unknown trust
:: File /var/cache/pacman/pkg/mkinitcpio-30-2.parabola2-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

This is because the gpg key is expired:

# gpg --recv-keys FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: key 25DB7D9B5A8D4B40: public key "bill-auger <>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# gpg --verify /var/cache/pacman/pkg/mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig 
gpg: assuming signed data in '/var/cache/pacman/pkg/mkinitcpio-30-2.parabola2-any.pkg.tar.zst'
gpg: Signature made sam. 06 nov. 2021 03:41:54 CET
gpg:                using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: Good signature from "bill-auger <>" [expired]
gpg:                 aka "bill-auger <>" [expired]
gpg:                 aka "bill-auger <>" [expired]
gpg:                 aka "[jpeg image of size 6017]" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9  7989 25DB 7D9B 5A8D 4B40
     Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7  2853 9087 1091 3E8C 7778

And here I don't see how to fix the underlying issue because it's very common to have the same gpg key for mails and software releases, potentially with conflicting best security practices.

For instance having a key that expires from time to time enable people cope with keys that are lost way more easily for instance, but for longer term software releases that can be an issue as the key need to always be updated in time and in some cases this is not an easy thing to do.

So the only fix here is for bill auger to send an updated key to the build servers.

A workaround here would be to make sure that any Parabola developer could build and sign a new version of that package to make sure that it can be fixed if we need to.

Unfortunately there is again here an issue in the underlying software architecture, but this looks easier to fix.

The librerelease script doesn't publish PKGBUILDs and the patches automatically ( #3130 ), and the release process makes it easy to forget to keep abslibre in sync with the packages we release.

So the workaround here is either to remake that package from the package source and/or the #3121 bug or to have bill-auger publish the corresponding git commit.



Updated by GNUtoo 6 days ago

Also available in: Atom PDF