search

Morganamilo / paru

Feature packed AUR helper
GNU General Public License v3.0
6.21k stars 239 forks source link

Paru does not attempt to import PGP keys, when more than one package is being installed #619

Closed dinckelman closed 1 year ago

dinckelman commented 2 years ago

Affected Version

paru -V paru v1.9.2 - libalpm v13.0.1

Description

Have you checked previous issues? Yes, this does not appear to be reported yet. Paru does not attempt to import pgp keys, when multiple AUR packages are being installed. Key check fails automatically, and the package installation is skipped.

Output

Include the FULL output of any relevant commands/configs paru. Full system upgrade, multiple packages available

==> Making package: spotify 1:1.1.72.439-3 (Sat 11 Dec 2021 02:27:08 PM CET)
==> Retrieving sources...
  -> Found spotify.protocol
  -> Found LICENSE
  -> Found spotify-1.1.72.439-x86_64.deb
  -> Downloading spotify-1.1.72.439-3-Release...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2447  100  2447    0     0  10930      0 --:--:-- --:--:-- --:--:-- 10924
  -> Downloading spotify-1.1.72.439-3-Release.sig...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   833  100   833    0     0   6716      0 --:--:-- --:--:-- --:--:--  6772
  -> Downloading spotify-1.1.72.439-3-x86_64-Packages...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1210  100  1210    0     0  12981      0 --:--:-- --:--:-- --:--:-- 13010
==> Validating source files with sha512sums...
    spotify.protocol ... Passed
    LICENSE ... Passed
    spotify-1.1.72.439-x86_64.deb ... Passed
    spotify-1.1.72.439-3-Release ... Skipped
    spotify-1.1.72.439-3-Release.sig ... Skipped
    spotify-1.1.72.439-3-x86_64-Packages ... Skipped
==> Verifying source file signatures with gpg...
    spotify-1.1.72.439-3-Release ... FAILED (unknown public key 5E3C45D7B312C643)
==> ERROR: One or more PGP signatures could not be verified!
error: failed to download sources for 'spotify-1:1.1.72.439-3':

Same request, when only one package is available

: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
:: Starting full system upgrade...
 there is nothing to do
:: Looking for AUR upgrades
:: Looking for devel upgrades
:: Resolving dependencies...
:: Calculating conflicts...
:: Calculating inner conflicts...

Aur (1) spotify-1:1.1.72.439-3

:: Proceed to review? [Y/n]: y

:: Downloading PKGBUILDs...
 PKGBUILDs up to date
 nothing new to review
:: keys need to be imported:)
     F9A211976ED662F00E59361E5E3C45D7B312C643 wanted by: spotify-1:1.1.72.439-3
:: import? [Y/n]: y
gpg: key 5E3C45D7B312C643: public key "Spotify Public Repository Signing Key <tux@spotify.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
fetching devel info...
==> Making package: spotify 1:1.1.72.439-3 (Sat 11 Dec 2021 02:27:57 PM CET)

Full uncropped output (other packages included) here: https://termbin.com/fdya

Paru config left unedited, in default location.

pacman.conf

#
# /etc/pacman.conf
#
# See the pacman.conf(5) manpage for option and repository directives

#
# GENERAL OPTIONS
#
[options]
# The following paths are commented out with their default values listed.
# If you wish to use different paths, uncomment and update the paths.
#RootDir     = /
#DBPath      = /var/lib/pacman/
#CacheDir    = /var/cache/pacman/pkg/
#LogFile     = /var/log/pacman.log
#GPGDir      = /etc/pacman.d/gnupg/
#HookDir     = /etc/pacman.d/hooks/
HoldPkg     = pacman glibc
#CleanMethod = KeepInstalled
Architecture = auto

# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
#IgnorePkg   =
#IgnoreGroup =

#NoUpgrade   =
#NoExtract   =

# Misc options
#UseSyslog
Color
#NoProgressBar
CheckSpace
VerbosePkgLists
ParallelDownloads = 10

# By default, pacman accepts packages signed by keys that its local keyring
# trusts (see pacman-key and its man page), as well as unsigned packages.
SigLevel    = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required

# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.

#
# REPOSITORIES
#   - can be defined here or included from another file
#   - pacman will search repositories in the order defined here
#   - local/custom mirrors can be added here or in separate files
#   - repositories listed first will take precedence when packages
#     have identical names, regardless of version number
#   - URLs will have $repo replaced by the name of the current repo
#   - URLs will have $arch replaced by the name of the architecture
#
# Repository entries are of the format:
#       [repo-name]
#       Server = ServerName
#       Include = IncludePath
#
# The header [repo-name] is crucial - it must be present and
# uncommented to enable the repo.
#

# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.

[core]
Include = /etc/pacman.d/mirrorlist

[extra]
Include = /etc/pacman.d/mirrorlist

[community]
Include = /etc/pacman.d/mirrorlist

[multilib]
Include = /etc/pacman.d/mirrorlist

# An example of a custom package repository.  See the pacman manpage for
# tips on creating your own repositories.
#[custom]
#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
Morganamilo commented 2 years ago

That update of spotify changed the pgp key. Maybe paru was reading what key to use before pulling.