FS#71704 - Signging key for Brett Cornwall <brett@i--b.com>" is not in the trust keyring

Attached to Project: Community Packages
Opened by Sree Harsha Totakura (tsh) - Monday, 02 August 2021, 08:55 GMT
Last edited by Antonio Rojas (arojas) - Monday, 02 August 2021, 18:03 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 11
Private No

Details

Description:
Unable to update swaybg to the latest version because of invalid signature. I believe Brett's signing key is not added to the archlinux-keyring yet.

I get the following error:
error: swaybg: signature from "Brett Cornwall <brett@i--b.com>" is unknown trust
:: File /var/cache/pacman/pkg/swaybg-1.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP signature))


Additional info:
* package version(s): 1.1.-1-x86_64
* config and/or log files etc.

# sha256sum /var/cache/pacman/pkg/swaybg-1.1-1-x86_64.pkg.tar.zst
3f09d8bf2468dea38f288aab70595e9558f7128bc86706449ffe255146398b3a /var/cache/pacman/pkg/swaybg-1.1-1-x86_64.pkg.tar.zst

Steps to reproduce:
1. Try updating swaybg to 1.1-1: pacman -S swaybg
This task depends upon

Closed by  Antonio Rojas (arojas)
Monday, 02 August 2021, 18:03 GMT
Reason for closing:  Fixed
Additional comments about closing:  archlinux-keyring-20210802
Comment by Sree Harsha Totakura (tsh) - Monday, 02 August 2021, 09:03 GMT
Some other related packages are also affected:
[code]
error: libseat: signature from "Brett Cornwall <brett@i--b.com>" is unknown trust
:: File /var/cache/pacman/pkg/libseat-0.5.0-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: sway: signature from "Brett Cornwall <brett@i--b.com>" is unknown trust
:: File /var/cache/pacman/pkg/sway-1:1.6.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
[/code]
Comment by Sree Harsha Totakura (tsh) - Monday, 02 August 2021, 09:17 GMT
I have the archlinux-keyring-20210616-1 installed
Comment by A. Bosch (progandy) - Monday, 02 August 2021, 09:20 GMT
The key used for signing these packages has expired today.

% CUTF gpg --verify /var/cache/pacman/pkg/swaybg-1.1-1-x86_64.pkg.tar.zst.sig
gpg: assuming signed data in '/var/cache/pacman/pkg/swaybg-1.1-1-x86_64.pkg.tar.zst'
gpg: Signature made 2021-07-19 W29-1 20:39:18 +0200 CEST
gpg: using EDDSA key 2BAD357CDD749D5081F24F3D98CB27E02A6808D8
gpg: Good signature from "Brett Cornwall <brett@i--b.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: BE2D BCF2 B1E3 E588 AC32 5AEA A06B 4947 0F8E 620A
Subkey fingerprint: 2BAD 357C DD74 9D50 81F2 4F3D 98CB 27E0 2A68 08D8

% CUTF pacman-key --list-keys brett@i--b.com
gpg: Note: trustdb not writable
pub ed25519 2018-10-03 [SC] [expired: 2021-08-02]
BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A
uid [ expired] Brett Cornwall <brett@i--b.com>

% CUTF gpg --locate-external-keys "brett@i--b.com"
gpg: key A06B49470F8E620A: "Brett Cornwall <brett@i--b.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
pub ed25519 2018-10-03 [SC] [expired: 2021-08-02]
BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A
uid [ expired] Brett Cornwall <brett@i--b.com>
Comment by Sree Harsha Totakura (tsh) - Monday, 02 August 2021, 09:51 GMT
This is the root cause. Thank you progandy.

Loading...