FS#47627 - pacman's 'import key' prompt does not stop installation from failing and generates confusing message
Attached to Project:
Pacman
Opened by Mingye Wang (arthur2e5) - Tuesday, 05 January 2016, 04:43 GMT
Last edited by Allan McRae (Allan) - Tuesday, 29 December 2020, 13:39 GMT
Opened by Mingye Wang (arthur2e5) - Tuesday, 05 January 2016, 04:43 GMT
Last edited by Allan McRae (Allan) - Tuesday, 29 December 2020, 13:39 GMT
|
Details
Summary and Info:
When installing a package with a never-imported key, pacman (uh, well, libalpm _alpm_key_import) will ask the user if the key should be imported. However, it still does not trust the imported key which (according to quininer (via tox tunnel) at #archlinux-cn@freenode.net) is responsible for a following "'<FILENAME>': invalid or corrupt package (PGP sig)" error. If this is really caused by the key being untrusted, then pacman should use another message like `Signature from untrusted key blah blah .. continue?' instead of telling the user the package is broken. I am not quite an Archlinux user, and some extra verification should be used on this report to make sure both quininer and I aren't wrong. @LastAvengers (via telegram tunnel) reported this error to quininer in #archlinux-cn@freenode.net, so you might be able to get extra info from them. Steps to Reproduce: 1. Install a random package from third-party sources like archlinux-cn's. In this case the package filename appears to be 'ydcv-rs-git-0.3.1.55-1-x86_64.pkg.tar.xz'. - In this case, the imported key wasn't able to get enough trust from the Web of Trust. A prompt should be added anyway. 2. Pacman should now ask you if you want to import the key. Y. 3. BOOM. |
This task depends upon
(quininer) > https://www.dropbox.com/s/rwgbp3e361g9iaq/ydcv-rs-git-0.3.1.55-1-x86_64.pkg.tar.xz?dl=0
(quininer) > https://www.dropbox.com/s/o2dg7g3wzfop39b/ydcv-rs-git-0.3.1.55-1-x86_64.pkg.tar.xz.sig?dl=0