-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR: One or more PGP signatures could not be verified! #50
Comments
Thank you for reporting. Did not know that #51 should fix it. With this change, you package now fails to build with the following error:
But that is expected since 3B94A80E50A477C7 is not defined in the PKGBUILD. |
Released |
Hi and thanks for the quick reaction! Unfortunately, v1.21 doesn't seem to work... As you mentioned, it fails with "unknown public key 3B94A80E50A477C7", which IS the short fingerprint of key A2FF3A36AAA56654109064AB19802F8B0D70FC30 that was used by Jan Alexander Steffens to sign this arch patch to the linux kernel.
Maybe the problem is with the |
Having said that... Now that I look closer at the output of the action, I have:
So where does this leave the problem...? |
Yea, as of right now I am also a bit confused what is the problem here. It seems that the patch is signed with a subkey (3B94A80E50A477C7) and PKGBUILD defines the parent key (A2FF3A36AAA56654109064AB19802F8B0D70FC30) in Also found the following in the Archlinux wiki: https://wiki.archlinux.org/title/PKGBUILD#validpgpkeys
But I guess that is fine as well. |
There seems to be something funky going on regarding this key and ubuntu key server: https://bbs.archlinux.org/viewtopic.php?id=268750 However when I tried using
Looks like this key server can strip user IDs from keys if desired by the key holder, and that is not supported by gpg. |
I think the problem is with this key:
It actually has two signing keys: the primary public key
but in
This is also noted here by gpg:
which lists the subkey fingerprint (something it doesn't do with a signature generated with the primary public key). |
But that doesn't (quite) answer the question: why does makepkg get it right locally on my machine, but not in the docker machine from your workflow? 🤔 |
Ah... yes it could well be the import that is the problem. Maybe the docker machine is not importing the subkey because of the keyserver it is using? My local machine is pulling keys from:
But I definitely have the subkey as shown by |
Yea, I tried building your package with the change from here: a1acfad which uses the same key server, and it successfully imports the keys:
And fails with the same error message:
|
Yeah we're definitely hitting some gpg key(server?) import / verification weirdness here... 🤷♂️ |
So I did a bit more digging. I tracked down where makepkg does its verifying. It's here: I went and modified my local makepkg library so it wouldn't delete the tempfile
And then I ran this:
with the following result in the status file:
What is the trust level of that key then?
Maybe we could try modifying the source of the makepkg library in your docker image to get more output, but I'll admit I'm not very used to working with docker at all. Still a mystery here... PS: There is this (still open I think) discussion on pacman-dev mailing list: https://lists.archlinux.org/archives/list/[email protected]/thread/6ZHUM234BF6LCAXBEBQ6EY6WZMRF62NM/ which may also be related, if it is a subkey issue as you suspect? Edit: removed a section on (un)compressed file verification, where I had misread the makepkg code. |
Hi there!
I am trying to use this github action to build a custom linux kernel in the github CI, but I can't seem to figure out how to add the signing PGP key to the keychain...
I have this very simple workflow:
And github actions give me this output at the end of the
Run 2m/[email protected]
stage:I have searched the documentation and looked at the other examples of projects using this workflow but can't seem to find how to handle PGP keys. Any help would be much appreciated.
Regards,
Mark.
The text was updated successfully, but these errors were encountered: