Verifying GPG Signatures for makepkg

Archlinux has two package authentication methods. The first is pacman-key, which should be used only for official developer keys, i.e. people you trust to have signed a package you are installing!

The second, gpg, which is used for unofficial packages. You explicitly trust the developers of these packages.

For some reason, my gpg was buggered, so when trying to make aur packages I got the following error.

# makepkg
==> Making package: pkg_scripts 2014.12.31-1 (Sat Feb 14 12:08:35 EST 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found pkg_scripts-2014.12.31.tar.xz
  -> Found pkg_scripts-2014.12.31.tar.xz.sig
==> Validating source files with md5sums...
    pkg_scripts-2014.12.31.tar.xz ... Passed
    pkg_scripts-2014.12.31.tar.xz.sig ... Passed
==> Validating source files with sha512sums...
    pkg_scripts-2014.12.31.tar.xz ... Passed
    pkg_scripts-2014.12.31.tar.xz.sig ... Passed
==> Verifying source file signatures with gpg...
    pkg_scripts-2014.12.31.tar.xz ... FAILED (unknown public key 1D1F0DC78F173680)

There are a couple useful ways around this, describe by Xyne. I’ll demonstrate both.

  1. manually check the keysig file with pacman-key and use makepkg’s –skippgpcheck
pacman-key --verify pkg_scripts-2014.12.31.tar.xz.sig 
# ==> Checking pkg_scripts-2014.12.31.tar.xz.sig ...
# gpg: assuming signed data in 'pkg_scripts-2014.12.31.tar.xz'
# gpg: Signature made Wed 31 Dec 2014 10:17:38 AM EST using RSA key ID 8F173680
# gpg: Note: trustdb not writable
# gpg: Good signature from "Xyne. (key #3) <xyne@archlinux.ca>" [full]

makepkg --skippgpcheck
  1. add the key to your own keyring

As I said, for some reason I had no .gnupg directory and gpg.conf.

gpg --recv-keys 1D1F0DC78F173680
# gpg: keyserver receive failed: No keyserver available

Further confirmation by complete absence of any gpg keys.

gpg --list-keys
# 

Running the utilities actually should initialize their settings.

rm -rd ~/.gnupg
gpg --recv-keys 1D1F0DC78F173680   
# gpg: directory '/home/joth/.gnupg' created
# gpg: new configuration file '/home/joth/.gnupg/gpg.conf' created
# gpg: WARNING: options in '/home/joth/.gnupg/gpg.conf' are not yet active during this run
# gpg: keybox '/home/joth/.gnupg/pubring.kbx' created
# gpg: keyserver receive failed: No keyserver available

dirmngr
# dirmngr[9601.0]: error opening '/home/jotham/.gnupg/dirmngr_ldapservers.conf': No such file or directory
# dirmngr[9601.0]: permanently loaded certificates: 0
# dirmngr[9601.0]:     runtime cached certificates: 0
# dirmngr[9601.0]: failed to open cache dir file '/home/jotham/.gnupg/dirmngr-cache.d/DIR.txt': No such file or directory
# dirmngr[9601.0]: creating directory '/home/jotham/.gnupg/dirmngr-cache.d'
# dirmngr[9601.0]: new cache dir file '/home/jotham/.gnupg/dirmngr-cache.d/DIR.txt' created
# # Home: ~/.gnupg
# # Config: [none]
# OK Dirmngr 2.1.2 at your service
^C

Some configs are setup now.

ls -l ~/.gnupg/
# crls.d
# dirmngr-cache.d
# gpg.conf
# pubring.kbxp
# S.dirmngr

But it I still couldn’t obtain the keys.

gpg --recv-keys 8F1736808F173680
# gpg: keyserver receive failed: No keyserver available

Finally, I tried changing the keyserver to hkp://pgp.mit.edu instead of the default hkp://keys.gnupg.net

cat ~/.gnupg/gpg.conf | grep keyserver
# # GnuPG can send and receive keys to and from a keyserver.  These
# # Example HKP keyservers:
# # Example LDAP keyservers:
# #      hkp://keyserver.example.net:22742
# # proxy, you can use keyserver option broken-http-proxy (see below),
# # regarding proxies (keyserver option honor-http-proxy)
# # Most users just set the name and type of their preferred keyserver.
# # ldap://keyserver.pgp.com) synchronize changes with each other.  Note
# # the "--keyserver-options debug".
# #keyserver hkp://keys.gnupg.net
# keyserver hkp://pgp.mit.edu
# #keyserver http://http-keys.gnupg.net
# #keyserver mailto:pgp-public-keys@keys.nl.pgp.net
# # Common options for keyserver functions:
# #                    on the keyserver (not all keyservers support this).
# #                      "revoked" on the keyserver.
# #                  keyserver.  Some platforms (Win32 for one) always
# # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy
# # auto-key-retrieve = automatically fetch keys as needed from the keyserver
# #                         when sending keys to the keyserver.
# #keyserver-options auto-key-retrieve
# keyserver-options debug

Now I can add they key to my gpg keyring.

gpg --recv-keys 1D1F0DC78F173680                        
# gpg: /home/jotham/.gnupg/trustdb.gpg: trustdb created
# gpg: key 8F173680: public key "Xyne. (key #3) <xyne@archlinux.ca>" imported
# gpg: no ultimately trusted keys found
# gpg: Total number processed: 1
# gpg:               imported: 1

And sign it.

gpg --lsign-key 1D1F0DC78F173680

And make the package from the AUR.

cd ~builds/python3-aur/python3-aur
makepkg
# ...
# ==> Finished making: python3-aur 2014.12-1 (Sat Feb 14 13:52:14 EST 2015)
Go Top
comments powered by Disqus