vn971 / rua

Build tool for Arch Linux providing control, review and jailed build options
GNU General Public License v3.0
426 stars 41 forks source link

GPG verification fails in sudo #228

Open vehlwn opened 2 months ago

vehlwn commented 2 months ago

rua 0.19.10

I want to create a separate user for rua because I don't want it clutter my home gpg keyring, but now I cannot install aur packages requiring gpg source verification (e.g. hplip-plugin). It says

Verifying source file signatures with gpg... hplip-3.24.4-plugin.run ... FAILED (unknown public key 73D770CDA59047B9)

even if I import the key manually: gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4ABA2F66DBD5A95894910E0673D770CDA59047B9

Example:

$ sudo useradd -mG wheel aurbuilder
$ sudo passwd aurbuilder
$ sudo -u aurbuilder gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: directory '/home/aurbuilder/.gnupg' created
gpg: /home/aurbuilder/.gnupg/trustdb.gpg: trustdb created
gpg: key 73D770CDA59047B9: public key "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ sudo -u aurbuilder gpg -k 73D770CDA59047B9
pub   dsa1024 2009-12-15 [SC]
      4ABA2F66DBD5A95894910E0673D770CDA59047B9
uid           [ unknown] HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>
sub   elg2048 2009-12-15 [E]

$ sudo -u aurbuilder rua install hplip-plugin
...
==> Verifying source file signatures with gpg...
    hplip-3.24.4-plugin.run ... FAILED (unknown public key 73D770CDA59047B9)
==> ERROR: One or more PGP signatures could not be verified!

But yay inside sudo works well. It successfully verifies the package:

Verifying source file signatures with gpg...
hplip-3.24.4-plugin.run ... Passed

I can also run gpg manually:

$ sudo -u aurbuilder -i
[aurbuilder] $ gpg --verify hplip-3.24.4-plugin.run.asc
gpg: assuming signed data in 'hplip-3.24.4-plugin.run'
gpg: Signature made Ср 22 мая 2024 04:57:54 UTC
gpg:                using DSA key 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4ABA 2F66 DBD5 A958 9491  0E06 73D7 70CD A590 47B9

I found similar issue in aura: https://github.com/fosskers/aura/issues/606. Is it related?

PS: Without sudo rua works fine. But I don't want deprecated keys with DSA and SHA1 in my keyring.

vehlwn commented 1 month ago

I managed to workaround it with GNUPGHOME variable:

$ mkdir ~/.rua-gnupg
$ chmod 700 ~/.rua-gnupg
$ GNUPGHOME=~/.rua-gnupg gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: key 73D770CDA59047B9: public key "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ GNUPGHOME=~/.rua-gnupg gpg -k
/home/vehlwn/.rua-gnupg/pubring.kbx
--------------------------------
pub   dsa1024 2009-12-15 [SC]
      4ABA2F66DBD5A95894910E0673D770CDA59047B9
uid           [ unknown] HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>
sub   elg2048 2009-12-15 [E]

$ GNUPGHOME=~/.rua-gnupg rua install hplip-plugin
...
==> Verifying source file signatures with gpg...
    hplip-3.24.4-plugin.run ... Passed
...