Bug #3584
armv7h packages fail to install - signing key is "unknown trust"
0%
Description
In https://repo.parabola.nu/sources/parabola/ there is no archlinuxarm-keyring-20140119.tar.gz, though there are other packages in libre like hyperbola-keyring.
Unfortunately that source file is not upstream anymore either and Arch Linux ARM doesn't seem to have upgraded its keyring.
So I don't know what to do here.
History
Updated by bill-auger 2 months ago
what are you trying to do? - you want to rebuild the keyring?
if you are having trouble installing packages, every archarm user has that
problem now - rebuilding the keyring probably wont help
<Danct12> greets all, looks like the key used for signing packages are rejected by default in newer version of gnupg
<Xogium> we're aware of this for a few weeks now unfortunately, but it hasn't been fixed
<Xogium> the keyring package is literally 10 years old
<bill-auger> is there a bug report about that? - does anyone know the cause of the problem or the fix ?
<Xogium> bill-auger: I think that one of the maintainer went away, so now the trust asks for 3 signatures, but all packages get only two
<bill-auger> i suppose by "went away" you mean the key expired - in order for a key to literally go away, the keyring package would need to change
<Xogium> yes it probably expired
<Xogium> now all the packages have only two people signing them
<Xogium> and the keyring/trust still asks for 3
there is a discussion on the forum - it may be possible to rollback gnupg, or
set the current version to 'allow-weak-key-signatures' - both fixes are
explained on the forum
https://archlinuxarm.org/forum/viewtopic.php?f=15&t=16701
Updated by bill-auger 2 months ago
- Status changed from unconfirmed to confirmed
- Subject changed from Source code of at least libre/archlinuxarm-keyring is missing in the mirrors to armv7h packages fail to install - signing key is "unknown trust"
Updated by lukeshu about 2 months ago
IMO, what we should do is patch libre/pacman
on ARM so that /usr/bin/pacman-key
creates /etc/pacman.d/gnupg/gpg.conf
with allow-weak-key-signatures
.
Updated by lukeshu about 2 months ago
Chiming in to confirm that running
mkdir -p -- /etc/pacman.d/gnupg echo allow-weak-key-signatures >>/etc/pacman.d/gnupg/gpg.conf
before pacman-key --init
works around the issue.
Updated by bill-auger about 2 months ago
before
pacman-key --init
works around the issue.
that means every user would need to run `pacman-key --init && pacman-key --populate`; so they may as well modify gpg.conf themselves at the same time - there must be a better way (a way which does not require user-intervention)
would the gpg.conf setting work if the keyring package is simply re-installed?
because a simpler solution (one which would not require user-intervention) would be to rollback 'gnupg' until archarm fixes their own bug
Updated by lukeshu about 2 months ago
every user would need to run
pacman-key --init && pacman-key --populate
Isn't that already the case?
AFAIK, this only affects new installs; old keyrings are still valid. New installs have a keyring created by one of 3 ways:
-
pacstrap
copies it from the host (default, unless-G
or-K
) pacstrap -K
runspacman-key --init
and then alpm hooks runpacman-key --populate
when pacstrap installs the keyring packagespacstrap -G
leaves the keyring uninitialized, and then the user (or, in the case of archiso, a boot-script) runs `pacman-key --init && pacman-key --populate