Closed skwerlman closed 4 months ago
This is not a bad signature, it is a good –better even– signature.
The one listed in the README is my personal key that I initially started using when I started hosting my own repo. That was before I became an Arch TU / Package Maintainer. I now have an official Arch Linux package signing key that is attested in the system keyring (archlinux-keyring
package). There are still packages in this repo signed with my personal key, but I've been signing all new builds and the repository database with my Arch key so than for many/most package you don't even have to manually import and set trust for my personal key.
You will also notice both keys are cross-signed, meaning they attest each-other with ultimate trust meaning they are both in my direct control.
Eventually when nothing is left with just my personal key on it I'll just remove that info and people won't have to worry about adding it.
If your archlinux-keyring
is up to date you shouldn't be getting that error message. If you're still getting it after updating your system keyring then please do let me know about it here.
I am getting the error with archlinux-keyring 20240429-1, which is the most recent keyring as far as i am aware.
Regarding cross-signing: I do see a signature on 63CC496475267693
from D4A753468A5A5B67
(the primary key which has A85E811EB4CA2E08
as a subkey), but I dont see a corresponding signature from 63CC496475267693
on D4A753468A5A5B67
I think you need to at least re-fetch both keys from some key server. Both are available multiple places. You can see on Ubuntu's keyserver that the cross-sig you don't see locally is in fact there. Also I have over 600 packages in [extra] that are signed by the [D4A753468A5A5B67] key so I don't understand why you are having a problem with it here. Maybe your download of the signature file itself actually is corrupted. Or somehow you've unlinked the system keyring from how your yay is verifying packages, so it isn't accessing the system keyring at all?
I had pacman-key
fetch the key, which it did correctly, and it now shows the cross-signature, so that was indeed a bit out of date.
a5% sudo pacman-key -r D4A753468A5A5B67
gpg: key D4A753468A5A5B67: 1 duplicate signature removed
gpg: key D4A753468A5A5B67: "Caleb Maclennan <alerque@archlinux.org>" 1 new signature
gpg: key D4A753468A5A5B67: "Caleb Maclennan <alerque@archlinux.org>" 1 signature cleaned
gpg: public key DB323392796CA067 is 3037 days newer than the signature
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 8 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 8 signed: 99 trust: 2-, 0q, 0n, 5m, 1f, 0u
gpg: depth: 2 valid: 75 signed: 31 trust: 75-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-06-29
gpg: Total number processed: 1
gpg: new signatures: 1
gpg: signatures cleaned: 1
a5% gpg --list-sigs D4A753468A5A5B67
pub ed25519 2021-07-12 [SC] [expires: 2024-08-11]
CCB34EBBB9541EF3F7B366C1D4A753468A5A5B67
uid [ unknown] Caleb Maclennan <alerque@archlinux.org>
sig 3 D4A753468A5A5B67 2023-02-18 [self-signature]
sig 3348882F6AC6A4C2 2021-08-01 Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig 4DC95B6D7BE9892E 2021-07-24 David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org>
sig 3 63CC496475267693 2021-07-27 Caleb Maclennan <caleb@alerque.com>
sig 6BA0F5A2037F4F41 2023-02-23 Johannes Löthberg (Arch Linux Master Key) <demize@master-key.archlinux.org>
sig A88E23E377514E00 2021-07-31 Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig B1B73B02CC52A02A 2022-08-01 Jonas Witschel (Arch Linux Master Key) <diabonas@master-key.archlinux.org>
sub rsa4096 2021-07-12 [S] [expires: 2024-08-11]
sig D4A753468A5A5B67 2021-07-12 [self-signature]
sig D4A753468A5A5B67 2023-02-18 [self-signature]
sub cv25519 2021-07-12 [E] [expires: 2024-08-11]
sig D4A753468A5A5B67 2021-07-12 [self-signature]
sig D4A753468A5A5B67 2023-02-18 [self-signature]
However, the package still fails to validate, even using pacman directly and manually ensuring the sig file was deleted:
a5% sudo rm /var/cache/pacman/pkg/python-types-python-dateutil-2.*
a5% sudo pacman -S python-types-python-dateutil
warning: downgrading package python-types-python-dateutil (2.9.0.20240316-1 => 2.8.19.13-1)
resolving dependencies...
looking for conflicting packages...
Package (1) Old Version New Version Net Change Download Size
alerque/python-types-python-dateutil 2.9.0.20240316-1 2.8.19.13-1 0.00 MiB 0.01 MiB
Total Download Size: 0.01 MiB
Total Installed Size: 0.02 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
:: Retrieving packages...
python-types-python-dateutil-2.8.19.13-1-any 8.8 KiB 27.1 KiB/s 00:00 [##########################################################################################################] 100%
(1/1) checking keys in keyring [##########################################################################################################] 100%
(1/1) checking package integrity [##########################################################################################################] 100%
error: python-types-python-dateutil: signature from "Caleb Maclennan <alerque@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
(it shows up as a downgrade here because the version on the AUR is a bit newer, and I've been building it manually in the meantime)
for comparison to your end, here are the sha224sums of the package and signature:
fd535b94cc25ecfb60e72782371056c6179503ebd33792d4b9917d60 /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst
11767787a475593b8db3c998f5cb19d1afc1c61b5d5b3d8a6ecaf80a /var/cache/pacman/pkg/python-types-python-dateutil-2.8.19.13-1-any.pkg.tar.zst.sig
I'm a bit confused but it does seem like something got corrupted there. However I just jinxed myself because when you pointed out there was a new version I set that to rebuilding and it posted (replacing the package and signature) with a new one.
The new one looks good, can your confirm?
gpg --verify python-types-python-dateutil-2.9.0.20240316-1-any.pkg.tar.zst.sig
gpg: assuming signed data in 'python-types-python-dateutil-2.9.0.20240316-1-any.pkg.tar.zst'
gpg: Signature made Thu May 2 07:25:58 2024 CEST
gpg: using RSA key B0D65295476606B71F0C6F82A85E811EB4CA2E08
gpg: issuer "alerque@archlinux.org"
gpg: Good signature from "Caleb Maclennan <alerque@archlinux.org>" [ultimate]
Yup, it verifies and installs correctly. Thanks!
I dont know if you plan on trying to track down what went wrong or not, but if you need copies of the broken package/sig I do still have them laying around.
Thanks, but no I don't feel like doing a post-mortem on what got corrupted there as long as we know the tooling is working properly now.
the signature file:
this key (
A85E811EB4CA2E08
) is different from the one in the README (63CC496475267693
)