FS#74990 - [libgpg-error] the validpgpkeys missing public key
            Attached to Project:
            Arch Linux
            
Opened by Dong Xu (eastdong) - Wednesday, 08 June 2022, 08:10 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 08 June 2022, 15:19 GMT
          Opened by Dong Xu (eastdong) - Wednesday, 08 June 2022, 08:10 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 08 June 2022, 15:19 GMT
| 
 | Details
                    Description: build libgpg-error will prompt: ``` ==> Building in chroot for [extra] (x86_64)... ==> Synchronizing chroot copy [/var/lib/arAC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BDchbuild/extra-x86_64/root] -> [eastdong]...done ==> Making package: libgpg-error 1.45-1 (Wed 08 Jun 2022 04:02:59 PM CST) ==> Retrieving sources... -> Found libgpg-error-1.45.tar.bz2 -> Found libgpg-error-1.45.tar.bz2.sig ==> Validating source files with sha1sums... libgpg-error-1.45.tar.bz2 ... Passed libgpg-error-1.45.tar.bz2.sig ... Skipped ==> Verifying source file signatures with gpg... libgpg-error-1.45.tar.bz2 ... FAILED (invalid public key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD) ==> ERROR: One or more PGP signatures could not be verified! ==> ERROR: Could not download sources. ``` is not public key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD check libgpg-error-1.45.tar.bz2.sig and libgpg-error-1.45.tar.bz2 ``` [eastdong@East ~]$ gpg --verify Downloads/libgpg-error-1.45.tar.bz2.sig Downloads/libgpg-error-1.45.tar.bz2 gpg: Signature made Thu 07 Apr 2022 04:35:36 PM CST gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Can't check signature: No public key gpg: Signature made Fri 08 Apr 2022 10:48:10 AM CST gpg: using EDDSA key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD gpg: Good signature from "Niibe Yutaka (GnuPG Release Key)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD ``` the public key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD is not in the validpgpkeys in PKGBUILD. | 
              This task depends upon
              
              
            
            
          
            Closed by  Andreas Radke (AndyRTR)
Wednesday, 08 June 2022, 15:19 GMT
Reason for closing: Fixed
Additional comments about closing: 1.45-2 - added both keys to the PKGBUILD.
          
        Wednesday, 08 June 2022, 15:19 GMT
Reason for closing: Fixed
Additional comments about closing: 1.45-2 - added both keys to the PKGBUILD.
 
                      
The key is clearly part of the validpgpkeys array and available from key servers. No idea what you mean.
libgpg-error-1.45.tar.bz2 ... Passed
libgpg-error-1.45.tar.bz2.sig ... Skipped
==> Verifying source file signatures with gpg...
libgpg-error-1.45.tar.bz2 ... Passed
Note that validpgpkeys contains 031EC2536E580D8EA286A9F22071B08A33BD3F06 ("NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>"), which seems to be the predecessor of the more recent AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD ("Niibe Yutaka (GnuPG Release Key)") key that the reporters suggests adding. Unfortunately the new AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD key is not signed by the old 031EC2536E580D8EA286A9F22071B08A33BD3F06 key, so replacing it is not quite straightforward from a trust perspective. On the other hand AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD is already in validpgpkeys for gnupg since commit https://github.com/archlinux/svntogit-packages/commit/5c3bf456a73af2512d477e3e0cb6f1b650898699 so adding it to libgpg-error would make sense as well.
But Build libgpg-error will prompt:
```
-> Found libgpg-error-1.45.tar.bz2
-> Found libgpg-error-1.45.tar.bz2.sig
==> Validating source files with sha1sums...
libgpg-error-1.45.tar.bz2 ... Passed
libgpg-error-1.45.tar.bz2.sig ... Skipped
==> Verifying source file signatures with gpg...
libgpg-error-1.45.tar.bz2 ... FAILED (unknown public key E98E9B2D19C6C8BD)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Could not download sources.
```
this doesn't have a public key E98E9B2D19C6C8BD.
then, Import E98E9B2D19C6C8BD, and try building again.
```
==> Retrieving sources...6_64-build
:: Synchronizing package databases...
core downloading...
extra downloading...
community downloading...
:: Starting full system upgrade...
there is nothing to do
==> Building in chroot for [extra] (x86_64)...
==> Synchronizing chroot copy [/var/lib/archbuild/extra-x86_64/root] -> [eastdong]...done
==> Making package: libgpg-error 1.45-1 (Wed 08 Jun 2022 08:14:26 PM CST)
==> Retrieving sources...
-> Found libgpg-error-1.45.tar.bz2
-> Found libgpg-error-1.45.tar.bz2.sig
==> Validating source files with sha1sums...
libgpg-error-1.45.tar.bz2 ... Passed
libgpg-error-1.45.tar.bz2.sig ... Skipped
==> Verifying source file signatures with gpg...
libgpg-error-1.45.tar.bz2 ... FAILED (invalid public key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Could not download sources.
```
If import AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD now, the build will pass. So I think this might be something that needs to be fixed. I'm sorry if there's something wrong with my operation.
Not sure if this is worth a rebuild or if changing the key array + archrelease would be sufficient.