Project

General

Profile

Bug #3584

armv7h packages fail to install - signing key is "unknown trust"

GNUtoo - 2 months ago - . Updated about 2 months ago.

Status:
forwarded upstream
Priority:
bug
Assignee:
-
% Done:

0%


Description

In https://repo.parabola.nu/sources/parabola/ there is no archlinuxarm-keyring-20140119.tar.gz, though there are other packages in libre like hyperbola-keyring.

Unfortunately that source file is not upstream anymore either and Arch Linux ARM doesn't seem to have upgraded its keyring.

So I don't know what to do here.

History

#1

Updated by bill-auger 2 months ago

what are you trying to do? - you want to rebuild the keyring?

if you are having trouble installing packages, every archarm user has that
problem now - rebuilding the keyring probably wont help

<Danct12> greets all, looks like the key used for signing packages are rejected by default in newer version of gnupg
<Xogium> we're aware of this for a few weeks now unfortunately, but it hasn't been fixed
<Xogium> the keyring package is literally 10 years old
<bill-auger> is there a bug report about that? - does anyone know the cause of the problem or the fix ?
<Xogium> bill-auger: I think that one of the maintainer went away, so now the trust asks for 3 signatures, but all packages get only two
<bill-auger> i suppose by "went away" you mean the key expired - in order for a key to literally go away, the keyring package would need to change
<Xogium> yes it probably expired
<Xogium> now all the packages have only two people signing them
<Xogium> and the keyring/trust still asks for 3

there is a discussion on the forum - it may be possible to rollback gnupg, or
set the current version to 'allow-weak-key-signatures' - both fixes are
explained on the forum
https://archlinuxarm.org/forum/viewtopic.php?f=15&t=16701

#2

Updated by bill-auger 2 months ago

  • Status changed from unconfirmed to confirmed
  • Subject changed from Source code of at least libre/archlinuxarm-keyring is missing in the mirrors to armv7h packages fail to install - signing key is "unknown trust"
#3

Updated by bill-auger about 2 months ago

  • Status changed from confirmed to forwarded upstream
#4

Updated by lukeshu about 2 months ago

IMO, what we should do is patch libre/pacman on ARM so that /usr/bin/pacman-key creates /etc/pacman.d/gnupg/gpg.conf with allow-weak-key-signatures.

#5

Updated by lukeshu about 2 months ago

Chiming in to confirm that running

mkdir -p -- /etc/pacman.d/gnupg
echo allow-weak-key-signatures >>/etc/pacman.d/gnupg/gpg.conf

before pacman-key --init works around the issue.

#6

Updated by bill-auger about 2 months ago

before pacman-key --init works around the issue.

that means every user would need to run `pacman-key --init && pacman-key --populate`; so they may as well modify gpg.conf themselves at the same time - there must be a better way (a way which does not require user-intervention)

would the gpg.conf setting work if the keyring package is simply re-installed?

because a simpler solution (one which would not require user-intervention) would be to rollback 'gnupg' until archarm fixes their own bug

#7

Updated by lukeshu about 2 months ago

every user would need to run pacman-key --init && pacman-key --populate

Isn't that already the case?

AFAIK, this only affects new installs; old keyrings are still valid. New installs have a keyring created by one of 3 ways:

  1. pacstrap copies it from the host (default, unless -G or -K)
  2. pacstrap -K runs pacman-key --init and then alpm hooks run pacman-key --populate when pacstrap installs the keyring packages
  3. pacstrap -G leaves the keyring uninitialized, and then the user (or, in the case of archiso, a boot-script) runs `pacman-key --init && pacman-key --populate

Also available in: Atom PDF