bad signature on python-type-python-dateutil

[skwerlman]

a5% yay -S python-types-python-dateutil
Sync Explicit (1): python-types-python-dateutil-2.8.19.13-1
warning: python-types-python-dateutil-2.8.19.13-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Package (1)                           Old Version  New Version  Net Change  Download Size

alerque/python-types-python-dateutil  2.8.19.13-1  2.8.19.13-1    0.00 MiB       0.01 MiB

Total Download Size:   0.01 MiB
Total Installed Size:  0.02 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 python-types-python-dateutil-2.8.19.13-1-any
 python-types-python-dateutil-2.8.19.13-1-any                                                                                                    8.8 KiB  17.6 KiB/s 00:01 [##########################################################################################################] 100%
(1/1) checking keys in keyring                                                                                                                                             [##########################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                           [##########################################################################################################] 100%
error: python-types-python-dateutil: signature from "Caleb Maclennan <alerque@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
 -> error installing repo packages

the signature file:

 a5% gpg --list-packets </var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst.sig
# off=0 ctb=89 tag=2 hlen=3 plen=586
:signature packet: algo 1, keyid A85E811EB4CA2E08
    version 4, created 1688042009, md5len 0, sigclass 0x00
    digest algo 8, begin of digest a5 49
    hashed subpkt 33 len 21 (issuer fpr v4 B0D65295476606B71F0C6F82A85E811EB4CA2E08)
    hashed subpkt 2 len 4 (sig created 2023-06-29)
    hashed subpkt 28 len 21 (signer's user ID)
    subpkt 16 len 8 (issuer key ID A85E811EB4CA2E08)
    data: [4095 bits]

this key (A85E811EB4CA2E08) is different from the one in the README (63CC496475267693)

a5% gpg --list-keys A85E811EB4CA2E08
pub   ed25519 2021-07-12 [SC] [expires: 2024-08-11]
      CCB34EBBB9541EF3F7B366C1D4A753468A5A5B67
uid           [ unknown] Caleb Maclennan <alerque@archlinux.org>
sub   rsa4096 2021-07-12 [S] [expires: 2024-08-11]
sub   cv25519 2021-07-12 [E] [expires: 2024-08-11]

a5% gpg --list-keys 63CC496475267693
pub   rsa4096 2014-07-31 [SC] [expires: 2025-02-18]
      9F377DDB6D3153A48EB3EB1E63CC496475267693
uid           [ unknown] Caleb Maclennan <caleb@alerque.com>
sub   rsa4096 2021-07-12 [E] [expires: 2025-02-18]
sub   rsa4096 2021-07-12 [S] [expires: 2025-02-18]

[alerque]

This is not a bad signature, it is a good –better even– signature.

The one listed in the README is my personal key that I initially started using when I started hosting my own repo. That was before I became an Arch TU / Package Maintainer. I now have an official Arch Linux package signing key that is attested in the system keyring (archlinux-keyring package). There are still packages in this repo signed with my personal key, but I've been signing all new builds and the repository database with my Arch key so than for many/most package you don't even have to manually import and set trust for my personal key.

You will also notice both keys are cross-signed, meaning they attest each-other with ultimate trust meaning they are both in my direct control.

Eventually when nothing is left with just my personal key on it I'll just remove that info and people won't have to worry about adding it.

If your archlinux-keyring is up to date you shouldn't be getting that error message. If you're still getting it after updating your system keyring then please do let me know about it here.

[skwerlman]

I am getting the error with archlinux-keyring 20240429-1, which is the most recent keyring as far as i am aware.

Regarding cross-signing: I do see a signature on 63CC496475267693 from D4A753468A5A5B67 (the primary key which has A85E811EB4CA2E08 as a subkey), but I dont see a corresponding signature from 63CC496475267693 on D4A753468A5A5B67

[alerque]

I think you need to at least re-fetch both keys from some key server. Both are available multiple places. You can see on Ubuntu's keyserver that the cross-sig you don't see locally is in fact there. Also I have over 600 packages in [extra] that are signed by the [D4A753468A5A5B67] key so I don't understand why you are having a problem with it here. Maybe your download of the signature file itself actually is corrupted. Or somehow you've unlinked the system keyring from how your yay is verifying packages, so it isn't accessing the system keyring at all?

[skwerlman]

I had pacman-key fetch the key, which it did correctly, and it now shows the cross-signature, so that was indeed a bit out of date.

a5% sudo pacman-key -r D4A753468A5A5B67
gpg: key D4A753468A5A5B67: 1 duplicate signature removed
gpg: key D4A753468A5A5B67: "Caleb Maclennan <alerque@archlinux.org>" 1 new signature
gpg: key D4A753468A5A5B67: "Caleb Maclennan <alerque@archlinux.org>" 1 signature cleaned
gpg: public key DB323392796CA067 is 3037 days newer than the signature
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   8  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   8  signed:  99  trust: 2-, 0q, 0n, 5m, 1f, 0u
gpg: depth: 2  valid:  75  signed:  31  trust: 75-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-06-29
gpg: Total number processed: 1
gpg:         new signatures: 1
gpg:     signatures cleaned: 1

a5% gpg --list-sigs D4A753468A5A5B67                                  
pub   ed25519 2021-07-12 [SC] [expires: 2024-08-11]
      CCB34EBBB9541EF3F7B366C1D4A753468A5A5B67
uid           [ unknown] Caleb Maclennan <alerque@archlinux.org>
sig 3        D4A753468A5A5B67 2023-02-18  [self-signature]
sig          3348882F6AC6A4C2 2021-08-01  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          4DC95B6D7BE9892E 2021-07-24  David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org>
sig 3        63CC496475267693 2021-07-27  Caleb Maclennan <caleb@alerque.com>
sig          6BA0F5A2037F4F41 2023-02-23  Johannes Löthberg (Arch Linux Master Key) <demize@master-key.archlinux.org>
sig          A88E23E377514E00 2021-07-31  Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig          B1B73B02CC52A02A 2022-08-01  Jonas Witschel (Arch Linux Master Key) <diabonas@master-key.archlinux.org>
sub   rsa4096 2021-07-12 [S] [expires: 2024-08-11]
sig          D4A753468A5A5B67 2021-07-12  [self-signature]
sig          D4A753468A5A5B67 2023-02-18  [self-signature]
sub   cv25519 2021-07-12 [E] [expires: 2024-08-11]
sig          D4A753468A5A5B67 2021-07-12  [self-signature]
sig          D4A753468A5A5B67 2023-02-18  [self-signature]

However, the package still fails to validate, even using pacman directly and manually ensuring the sig file was deleted:

a5% sudo rm /var/cache/pacman/pkg/python-types-python-dateutil-2.*
a5% sudo pacman -S python-types-python-dateutil                   
warning: downgrading package python-types-python-dateutil (2.9.0.20240316-1 => 2.8.19.13-1)
resolving dependencies...
looking for conflicting packages...

Package (1)                           Old Version       New Version  Net Change  Download Size

alerque/python-types-python-dateutil  2.9.0.20240316-1  2.8.19.13-1    0.00 MiB       0.01 MiB

Total Download Size:   0.01 MiB
Total Installed Size:  0.02 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 python-types-python-dateutil-2.8.19.13-1-any                                                                                                    8.8 KiB  27.1 KiB/s 00:00 [##########################################################################################################] 100%
(1/1) checking keys in keyring                                                                                                                                             [##########################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                           [##########################################################################################################] 100%
error: python-types-python-dateutil: signature from "Caleb Maclennan <alerque@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

(it shows up as a downgrade here because the version on the AUR is a bit newer, and I've been building it manually in the meantime)

[skwerlman]

for comparison to your end, here are the sha224sums of the package and signature:

fd535b94cc25ecfb60e72782371056c6179503ebd33792d4b9917d60  /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst
11767787a475593b8db3c998f5cb19d1afc1c61b5d5b3d8a6ecaf80a  /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst.sig

[alerque]

I'm a bit confused but it does seem like something got corrupted there. However I just jinxed myself because when you pointed out there was a new version I set that to rebuilding and it posted (replacing the package and signature) with a new one.

The new one looks good, can your confirm?

gpg --verify python-types-python-dateutil-2.9.0.20240316-1-any.pkg.tar.zst.sig
gpg: assuming signed data in 'python-types-python-dateutil-2.9.0.20240316-1-any.pkg.tar.zst'
gpg: Signature made Thu May  2 07:25:58 2024 CEST
gpg:                using RSA key B0D65295476606B71F0C6F82A85E811EB4CA2E08
gpg:                issuer "alerque@archlinux.org"
gpg: Good signature from "Caleb Maclennan <alerque@archlinux.org>" [ultimate]

[skwerlman]

Yup, it verifies and installs correctly. Thanks!

I dont know if you plan on trying to track down what went wrong or not, but if you need copies of the broken package/sig I do still have them laying around.

[alerque]

Thanks, but no I don't feel like doing a post-mortem on what got corrupted there as long as we know the tooling is working properly now.