The repo contains packages signed by "Arch Linux ARM Build System <builder@archlinuxarm.org>", for example package nspr.
This fails to install because of:
[code]
error: nspr: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is marginal trust
[/code]
That's because:
[code]
pacman-key --finger builder @ archlinuxarm.org
gpg: Warning: using insecure memory!
pub rsa4096 2014-01-18 [SC]
68B3 537F 39A3 13B3 E574 D067 7719 3F15 2BDB E6A6
uid [marginal] Arch Linux ARM Build System <builder@archlinuxarm.org>
sub rsa4096 2014-01-18 [E]
[/code]
And that's because package archlinuxarm-keyring lists four keys in /usr/share/pacman/keyrings/archlinuxarm.gpg, but only three of those are trusted per /usr/share/pacman/keyrings/archlinuxarm-trusted -- you guessed it which is the one not listed there.
The archlinuxarm-keyring package appears to have been unchanged for a long time, but this kind of thing used to work. Is it possible that the build system now uses builder @ archlinuxarm.org to sign packages but that wasn't always so?
A workaround is to
[code]
pacman-key --lsign-key builder @ archlinuxarm.org
[/code]
if the default setup doesn't do it.
Anybody else have this problem?
P.S. Added extra blanks in the e-mail addresses to the broken forum software doesn't make it worse...
Keyring issue
3 posts
• Page 1 of 1
Keyring issue
by jernst » Fri Feb 23, 2024 5:11 am
- jernst
- Posts: 75
- Joined: Tue Aug 20, 2013 4:22 pm
- Location: Silicon Valley
Re: Keyring issue
by ffaille » Fri Feb 23, 2024 7:40 am
Hello jernst,
There is already some topics about that...
https://archlinuxarm.org/forum/viewtopic.php?f=9&t=16762
https://archlinuxarm.org/forum/viewtopic.php?f=15&t=16701
There is already some topics about that...
https://archlinuxarm.org/forum/viewtopic.php?f=9&t=16762
https://archlinuxarm.org/forum/viewtopic.php?f=15&t=16701
- ffaille
- Posts: 6
- Joined: Thu Jan 25, 2024 4:03 pm
Re: Keyring issue
by jernst » Fri Feb 23, 2024 6:35 pm
I got my analysis slightly wrong. The Build System key is signed by 2 (not 3??) of the other keys in archlinuxarm.gpg, which are identified as the trusted keys in archlinuxarm-trusted.
And apparently that trust is not sufficient to overcome the weakness of the Build System key. So I'm adding this to my setup as a workaround:
[code]
pacman-key --finger 68B3537F39A313B3E574D06777193F152BDBE6A6 2>/dev/null | grep marginal >/dev/null 2>&1 \
&& echo 'Fixing trust of Arch Linux ARM Build System <builder@archlinuxarm.org> key' \
&& pacman-key --lsign-key 68B3537F39A313B3E574D06777193F152BDBE6A6 >/dev/null 2>&1 \
|| true
[/code]
The real question of course is: regenerating a stronger Build System key should be straightforward, but somehow it hasn't happened yet. How do we get the attention of the root key holders needed for that? It's been two months at least it seems that this has been broken.
And apparently that trust is not sufficient to overcome the weakness of the Build System key. So I'm adding this to my setup as a workaround:
[code]
pacman-key --finger 68B3537F39A313B3E574D06777193F152BDBE6A6 2>/dev/null | grep marginal >/dev/null 2>&1 \
&& echo 'Fixing trust of Arch Linux ARM Build System <builder@archlinuxarm.org> key' \
&& pacman-key --lsign-key 68B3537F39A313B3E574D06777193F152BDBE6A6 >/dev/null 2>&1 \
|| true
[/code]
The real question of course is: regenerating a stronger Build System key should be straightforward, but somehow it hasn't happened yet. How do we get the attention of the root key holders needed for that? It's been two months at least it seems that this has been broken.
- jernst
- Posts: 75
- Joined: Tue Aug 20, 2013 4:22 pm
- Location: Silicon Valley
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 7 guests