libre/mkinitcpio: source code missing in abslibre + signature failing due to expired key
While upgrading my system I have:
error: mkinitcpio: signature from "bill-auger <firstname.lastname@example.org>" is unknown trust :: File /var/cache/pacman/pkg/mkinitcpio-30-2.parabola2-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
This is because the gpg key is expired:
# gpg --recv-keys FBCC5AD7421197B7ABA72853908710913E8C7778 gpg: key 25DB7D9B5A8D4B40: public key "bill-auger <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 # gpg --verify /var/cache/pacman/pkg/mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig gpg: assuming signed data in '/var/cache/pacman/pkg/mkinitcpio-30-2.parabola2-any.pkg.tar.zst' gpg: Signature made sam. 06 nov. 2021 03:41:54 CET gpg: using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778 gpg: Good signature from "bill-auger <firstname.lastname@example.org>" [expired] gpg: aka "bill-auger <email@example.com>" [expired] gpg: aka "bill-auger <firstname.lastname@example.org>" [expired] gpg: aka "[jpeg image of size 6017]" [expired] gpg: Note: This key has expired! Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9 7989 25DB 7D9B 5A8D 4B40 Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7 2853 9087 1091 3E8C 7778
And here I don't see how to fix the underlying issue because it's very common to have the same gpg key for mails and software releases, potentially with conflicting best security practices.
For instance having a key that expires from time to time enable people cope with keys that are lost way more easily for instance, but for longer term software releases that can be an issue as the key need to always be updated in time and in some cases this is not an easy thing to do.
So the only fix here is for bill auger to send an updated key to the build servers.
A workaround here would be to make sure that any Parabola developer could build and sign a new version of that package to make sure that it can be fixed if we need to.
Unfortunately there is again here an issue in the underlying software architecture, but this looks easier to fix.
The librerelease script doesn't publish PKGBUILDs and the patches automatically ( #3130 ), and the release process makes it easy to forget to keep abslibre in sync with the packages we release.
So the workaround here is either to remake that package from the package source and/or the #3121 bug or to have bill-auger publish the corresponding git commit.
Updated by GNUtoo over 1 year ago
I'm too tired, I made a mistake and used the wrong directory.The PKGBUILD is there:
=> We can fix it.
Updated by bill-auger over 1 year ago
- Status changed from unconfirmed to not-a-bug
the recent keyring issues have been resolved; so not-a-bug ?