Problems With Arch Package Signing

Arch Linux LogoUpdate: This was all addressed on 2012-06-17 with the introduction of the archlinux-keyring package and the pacman-key --populate archlinux command.

Arch Linux finally has package signing. However, if you follow the directions blindly, you may miss important details. This will usually lead to error messages about keys being of marginal trust or no trust at all.

The code posted on Arch’s wiki page for pacman-key gives you the code you need to use the five main keys used to sign everything else.

for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
     pacman-key --recv-keys $key
     pacman-key --lsign-key $key
     printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
         --no-permission-warning --command-fd 0 --edit-key $key
done

But if you’re not paying attention, you’ll miss the fact that some keys failed to import due to server issues.

The main thing to look for in the output is how many times this occurs:

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

That should appear five times, once for every key. If not, you’re missing at least one key.

Of course, I could blab all day about this and it might still escape you just what to look out for. In that regard, here’s a sample of a single instance of when I ran the script, with the things to look out for in bold face.

gpg: requesting key FFF979E7 from hkp server keys.gnupg.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

==> Updating trust database...
gpg: no need for a trustdb check
==> Updating trust database...
gpg: no need for a trustdb check
gpg: requesting key CDFD6BB0 from hkp server keys.gnupg.net
gpg: key CDFD6BB0: public key "Dan McGee (Arch Linux Master Key) " imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
==> Updating trust database...
gpg: no need for a trustdb check
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u

pub 3072R/CDFD6BB0 created: 2011-11-29 expires: never usage: SC
trust: unknown validity: full
sub 3072R/87E611F8 created: 2011-11-29 expires: never usage: E
[ full ] (1). Dan McGee (Arch Linux Master Key)

pub 3072R/CDFD6BB0 created: 2011-11-29 expires: never usage: SC
trust: unknown validity: full
sub 3072R/87E611F8 created: 2011-11-29 expires: never usage: E
[ full ] (1). Dan McGee (Arch Linux Master Key)

Please decide how far you trust this user to correctly verify other users’ keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

pub 3072R/CDFD6BB0 created: 2011-11-29 expires: never usage: SC
trust: marginal validity: full
sub 3072R/87E611F8 created: 2011-11-29 expires: never usage: E
[ full ] (1). Dan McGee (Arch Linux Master Key)
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg: requesting key 4C7EA887 from hkp server keys.gnupg.net
gpg: key 4C7EA887: public key “Ionut Biru (Arch Linux Master Key) ” imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 1m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
==> Updating trust database…
gpg: no need for a trustdb check
==> Updating trust database…
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 2 signed: 0 trust: 1-, 0q, 0n, 1m, 0f, 0u

pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: unknown validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key)
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key)
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key)

pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: unknown validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key)
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key)
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key)

Please decide how far you trust this user to correctly verify other users’ keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: marginal validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key)
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key)
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key)
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg: requesting key 6AC6A4C2 from hkp server keys.gnupg.net
gpg: key 6AC6A4C2: public key “Pierre Schmitz (Arch Linux Master Key) ” imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 2m, 0f, 0u
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
==> Updating trust database…
gpg: no need for a trustdb check
==> Updating trust database…
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 3 signed: 0 trust: 1-, 0q, 0n, 2m, 0f, 0u

pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: unknown validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key)

pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: unknown validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key)

Please decide how far you trust this user to correctly verify other users’ keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: marginal validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key)
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg: requesting key 824B18E8 from hkp server keys.gnupg.net
gpg: keyserver timed out
gpg: keyserver receive failed: keyserver error

==> Updating trust database…
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 3 signed: 0 trust: 0-, 0q, 0n, 3m, 0f, 0u
==> Updating trust database…
gpg: no need for a trustdb check

About these ads