FS#73150 - [pcsclite] v1.9.5-1 archive corrupted

Attached to Project: Community Packages
Opened by zeroconf (zeroconf) - Saturday, 25 December 2021, 14:23 GMT
Last edited by Morten Linderud (Foxboron) - Saturday, 25 December 2021, 14:47 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Cannot install pcsclite.

Additional info:
* package version(s): 1.9.5-1
* config and/or log files etc.: package repositories unchanged

Package information https://archlinux.org/packages/community/x86_64/pcsclite/

Steps to reproduce:
1. yay -Syu
2. got an error message:
error: pcsclite: signature from "Frederik Schwan <frederik.schwan@linux.com>" is unknown trust
:: File /var/cache/pacman/pkg/pcsclite-1.9.5-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
error installing repo packages
This task depends upon

Closed by  Morten Linderud (Foxboron)
Saturday, 25 December 2021, 14:47 GMT
Reason for closing:  Not a bug
Comment by Doug Newgard (Scimmia) - Saturday, 25 December 2021, 14:37 GMT
Unknown trust means you have a keyring problem. This is a support issue, use the support channels available for your distro.
Comment by zeroconf (zeroconf) - Saturday, 25 December 2021, 14:43 GMT
Actually at https://github.com/archlinux/svntogit-community/blob/packages/pcsclite/trunk/PKGBUILD is Ludovic Rousseau key available (imported also it) and no Frederik Schwan key.

Querying:
gpg --keyserver keyserver.ubuntu.com --search-keys frederik.schwan@linux.com

Fourth key seems appropriate as it contain mentioned email and is most recently created:
(4) Frederik Schwan <frederik.schwan@linux.com>
Frederik Schwan <f.schwan@opentalk.eu>
Frederik Schwan <frederik.schwan@mailbox.org>
Frederik Schwan <f.schwan@heinlein-support.de>
Frederik Schwan <frederik@schw4n.de>
Frederik Schwan <freswa@archlinux.org>
Frederik Schwan <frederik.schwan@mide-online.de>
Frederik Schwan <frederik.schwan@stud.tu-darmstadt.de>
Frederik Schwan <frederik@tty42.de>
Frederik Schwan <frederik@schwan.it>
263 bit EDDSA key 9D4C5AA15426DA0A, created: 2018-10-31

Then imported Frederik Schwan key:
gpg --keyserver keyserver.ubuntu.com --recv-keys 9D4C5AA15426DA0A
gpg: key 9D4C5AA15426DA0A: 18 duplicate signatures removed
gpg: key 9D4C5AA15426DA0A: 5 bad signatures
gpg: key 9D4C5AA15426DA0A: 18 signatures reordered
gpg: key 9D4C5AA15426DA0A: no user ID for key signature packet of class 13
gpg: key 9D4C5AA15426DA0A: no user ID for signature
gpg: Processed: 1

Also trusted all imported keys:
for i in $(gpg --list-keys --with-colons --fingerprint | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') ; do printf "trust\n5\ny\nquit" | gpg -q --no-tty --command-fd 0 --status-fd 2 --expert --edit-key $i 2>/dev/null 1>/dev/null ; done

Then looking available keys
gpg --list-keys
... and still no Frederik Schwan key imported as it is badly formatted :(
Still cannot install...

Then imported 3rd key Frederik Schwan key and trusted it:
(3) 263 bit EDDSA key 5EE659C16E8869B8, created: 2016-10-31
... but this was expired :( Although was imported correctly.
Comment by zeroconf (zeroconf) - Saturday, 25 December 2021, 14:45 GMT
As you see, it is not a matter of trust, but badly formatted key, which is part of packaging system, actually the trust of packaging system relies on it.
Comment by Morten Linderud (Foxboron) - Saturday, 25 December 2021, 14:46 GMT
Please update archlinux-keyring

Loading...