Hey, folks!
Since the latest upgrade of package gnupg I can't upgrade/install any packages anymore.
It seems that one of the three master signing keys was created with SHA-1, which is not supported by gnupg anymore.
This only occurs if the pacman gnupg keyring was recreated or a new system was installed with the new gnupg.
Maybe some of you could also have a look this.
Many thanks!
ragrew
# docker run --rm -ti agners/archlinuxarm
# pacman -Syu
# rm -r /etc/pacman.d/gnupg/
# pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/17CA8C2A3EE9F2805AC03E5D80444110B29BDB6B.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
# pacman-key --populate
==> Appending keys from archlinuxarm.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signed 3 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
==> Updating trust database...
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 3 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 3 signed: 1 trust: 0-, 0q, 0n, 3m, 0f, 0u
# pacman -S vim
resolving dependencies...
looking for conflicting packages...
Packages (4) gpm-1.20.7.r38.ge82d1a6-5 procps-ng-4.0.4-2 vim-runtime-9.0.2167-1 vim-9.0.2167-1
Total Download Size: 9.17 MiB
Total Installed Size: 43.19 MiB
:: Proceed with installation? [Y/n]
warning: no /var/cache/pacman/pkg/ cache exists, creating...
:: Retrieving packages...
vim-runtime-9.0.2167-1-aarch64 6.4 MiB 5.04 MiB/s 00:01 [########################################################################################] 100%
vim-9.0.2167-1-aarch64 1799.1 KiB 7.57 MiB/s 00:00 [########################################################################################] 100%
procps-ng-4.0.4-2-aarch64 876.7 KiB 1024 KiB/s 00:01 [########################################################################################] 100%
gpm-1.20.7.r38.ge82d1a6-5-aarch64 131.2 KiB 631 KiB/s 00:00 [########################################################################################] 100%
Total (4/4) 9.2 MiB 3.11 MiB/s 00:03 [########################################################################################] 100%
(4/4) checking keys in keyring [########################################################################################] 100%
(4/4) checking package integrity [########################################################################################] 100%
error: vim-runtime: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is marginal trust
:: File /var/cache/pacman/pkg/vim-runtime-9.0.2167-1-aarch64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
# pacman-key --list-keys 69DD6C8FD314223E14362848BF7EEF7A9C6B5765
pub rsa4096 2014-01-18 [SC]
69DD6C8FD314223E14362848BF7EEF7A9C6B5765
uid [ full ] Michael Brown (ArchLinux ARM Master Key) <mbrown@master-key.archlinuxarm.org>
sub rsa4096 2014-01-18 [E]
# pacman-key -e 69DD6C8FD314223E14362848BF7EEF7A9C6B5765 | gpg --list-packets
# off=0 ctb=99 tag=6 hlen=3 plen=525
:public key packet:
version 4, algo 1, created 1390087373, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: BF7EEF7A9C6B5765
# off=528 ctb=b4 tag=13 hlen=2 plen=77
:user ID packet: "Michael Brown (ArchLinux ARM Master Key) <mbrown@master-key.archlinuxarm.org>"
# off=607 ctb=89 tag=2 hlen=3 plen=568
:signature packet: algo 1, keyid BF7EEF7A9C6B5765
version 4, created 1390087373, md5len 0, sigclass 0x13
digest algo 2, begin of digest 05 8d
hashed subpkt 2 len 4 (sig created 2014-01-18)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (keyserver preferences: 80)
subpkt 16 len 8 (issuer key ID BF7EEF7A9C6B5765)
data: [4095 bits]
# off=1178 ctb=b9 tag=14 hlen=3 plen=525
:public sub key packet:
version 4, algo 1, created 1390087373, expires 0
pkey[0]: [4096 bits]
pkey[1]: [17 bits]
keyid: BBA6D0BB6FFCD98C
# off=1706 ctb=89 tag=2 hlen=3 plen=543
:signature packet: algo 1, keyid BF7EEF7A9C6B5765
version 4, created 1390087373, md5len 0, sigclass 0x18
digest algo 2, begin of digest c8 ed
hashed subpkt 2 len 4 (sig created 2014-01-18)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID BF7EEF7A9C6B5765)
data: [4096 bits]
digest algo 2 should be SHA-1, according to next link.
make_clickable_callback(MAGIC_URL_FULL, '
', 'https://datatracker.ietf.org/doc/html/rfc4880#section-9.4', '', ' class="postlink"')