[Assist] Problem with gpg key && iceweasel

Ben uaqben at disroot.org
Wed Dec 6 14:16:35 GMT 2017 

On 12/06/2017 01:43 AM, bill-auger wrote:
> ben-
> 
> pbot says: reset-keyring is: sometimes necessary - see this wiki article
> https://wiki.parabola.nu/Parabola_Keyring
> 

Thanks Bill & Megver83


Here's what I've tried:


I. Resetting_the_Parabola_Keyring
(https://wiki.parabola.nu/Parabola_Keyring#Resetting_the_Parabola_Keyring)

+ `pacman -Scc`

  I was not comfortable removing all pkgs from my local cache, so I
didn't go through with it.

+ `pacman -Syy`

~~~
sudo pacman -Syy archlinux-keyring archlinux32-keyring
archlinuxarm-keyring parabola-keyring
:: Synchronizing package databases...
 libre                    336.5 KiB   794K/s 00:00
[######################] 100%
 core                     108.2 KiB   636K/s 00:00
[######################] 100%
 extra                   1490.2 KiB   661K/s 00:02
[######################] 100%
 community                  3.9 MiB   944K/s 00:04
[######################] 100%
 pcr                      595.0 KiB   955K/s 00:01
[######################] 100%
warning: archlinux-keyring-20171130-1 is up to date -- reinstalling
warning: archlinux32-keyring-20171113-2 is up to date -- reinstalling
warning: archlinuxarm-keyring-20140119-1 is up to date -- reinstalling
warning: parabola-keyring-20170912-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (4) archlinux-keyring-20171130-1  archlinux32-keyring-20171113-2
             archlinuxarm-keyring-20140119-1  parabola-keyring-20170912-1

Total Installed Size:  1.09 MiB
Net Upgrade Size:      0.86 MiB

:: Proceed with installation? [Y/n] y
(4/4) checking keys in keyring
[######################] 100%
downloading required keys...
:: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE,
"Christian Hesse (Arch Linux Package Signing) <arch at eworm.de>", created:
2011-08-12? [Y/n] y
:: Import PGP key 4096R/38D33EF29A7691134357648733466E12EC7BA943, "Isaac
David <isacdaavid at isacdaavid.info>", created: 2015-06-25? [Y/n] y
(4/4) checking package integrity
[######################] 100%
error: archlinux-keyring: signature from "Christian Hesse (Arch Linux
Package Signing) <arch at eworm.de>" is invalid
:: File
/var/cache/pacman/pkg/archlinux-keyring-20171130-1-any.pkg.tar.xz is
corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: archlinux32-keyring: signature from "Isaac David
<isacdaavid at isacdaavid.info>" is unknown trust
:: File
/var/cache/pacman/pkg/archlinux32-keyring-20171113-2-any.pkg.tar.xz is
corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: archlinuxarm-keyring: signature from "Isaac David
<isacdaavid at isacdaavid.info>" is unknown trust
:: File
/var/cache/pacman/pkg/archlinuxarm-keyring-20140119-1-any.pkg.tar.xz is
corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: parabola-keyring: signature from "Isaac David
<isacdaavid at isacdaavid.info>" is unknown trust
:: File /var/cache/pacman/pkg/parabola-keyring-20170912-1-any.pkg.tar.xz
is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP
signature))
Errors occurred, no packages were upgraded.
[ben at gnupad ~]$  sudo pacman-key --refresh-keys
gpg: refreshing 3 keys from hkp://pool.sks-keyservers.net
gpg: key 33466E12EC7BA943: 4 signatures not checked due to missing keys
gpg: key 33466E12EC7BA943: "Isaac David <isacdaavid at isacdaavid.info>"
not changed
gpg: key A6234074498E9CEE: 71 signatures not checked due to missing keys
gpg: key A6234074498E9CEE: "Christian Hesse (Arch Linux Package Signing)
<arch at eworm.de>" not changed
gpg: key 7171986E4B745536: 2 signatures not checked due to missing keys
gpg: key 7171986E4B745536: "Andreas Grapentin
<andreas.grapentin at hpi.uni-potsdam.de>" not changed
gpg: Total number processed: 3
gpg:              unchanged: 3
~~~



II. pacman-key --populate does not work


I made a fresh USB LiveISO, and booted into it

Here I took some photos with cell phone, but basically:

1. `pacstrap /mnt archlinux-keyring archlinux32-keyring
archlinuxarm-keyring parabola-keyring`

	it complained about `archlinux-keyring-20171130-1-any.pkg.tar.xz` and
signing key `Christian Hesse - arch at eworm.de`

2. `rm
/mnt/var/cache/pacman/pkg/archlinux-keyring-20171130-1-any.pkg.tar.xz`

3. `pacstrap /mnt archlinux-keyring archlinux32-keyring
archlinuxarm-keyring parabola-keyring`

	it complains that the following already exist

 `/mnt/usr/share/pacman/keyrings/archlinux.gpg`
 `/mnt/usr/share/pacman/keyrings/archlinux-trusted`
 `/mnt/usr/share/pacman/keyrings/archlinux-revoked`


	it doesn't complain about other keyring dbs/files in that location,
just specifically the three above.

	it still went through attempts at locally signing keys (I guess for
other keyrings), but with failed to sign locally messages.
	when finalized, there was a message saying (more or less) `command
failed to execute properly`

3. I figure that I should remove all those "old/corrupt" keyring files

	I rm all of them, excapt `parabola-keyring` ones which I rename by
appending `.old` (mainly because this is my work machine; and I really
can't afford to make my situation worse than it currently is [unable to
use Iceweasel, and no longer able to update anything via `pacman -Syu`])

4. I re-run the pacstrap command to install the four keyring packages

	pacstrap fails to chroot.

	it says /mnt is busy

	I search; come across recommendation to run `lsof | grep mnt`

	lsof is not available on the LiveISO.. i give up trying to figue
who/what was squatting /mnt

	I manage to `umount -l /mnt`

	I remount it

	I run pacstrap; it goes through ok, but does complain all the way
through its routine of locally signing keys.. saying it fails sign them.

5. I check keyrings are present in `/mnt/usr/share/pacman/keyrings/`,
and yes they are all back (plus the `.old` ones for parabola-keyring)

6. I umount and reboot and write this email.

7. I also just tried the following two commands


~~~
$ sudo pacman-key --populate parabola archlinux
==> Appending keys from parabola.gpg...
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key DE8B63715BAA521666340836A763C29157A016B6...
  -> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
==> ERROR: DDB867B92AA789C165EEFA799B729B06A680C281 could not be locally
signed.
  -> Locally signing key B15F27D6FB402E1839BA97C619C87254F41DB195...
==> ERROR: B15F27D6FB402E1839BA97C619C87254F41DB195 could not be locally
signed.
  -> Locally signing key 560B3DEC2F13E822ACED475B2EC52AC76AEEB6A0...
==> ERROR: 560B3DEC2F13E822ACED475B2EC52AC76AEEB6A0 could not be locally
signed.
  -> Locally signing key 1B8C5E87702444D3D825CC8086ED62396D5DBA58...
==> ERROR: 1B8C5E87702444D3D825CC8086ED62396D5DBA58 could not be locally
signed.
  -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
==> ERROR: 684148BB25B49E986A4944C55184252D824B18E8 could not be locally
signed.
  -> Locally signing key 49F707A1CB366C580E625B3C456032D717A4CD9C...
==> ERROR: 49F707A1CB366C580E625B3C456032D717A4CD9C could not be locally
signed.
  -> Locally signing key DC7E500D8D4407641EA82893476DC656262FB1AE...
==> ERROR: DC7E500D8D4407641EA82893476DC656262FB1AE could not be locally
signed.
  -> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
==> ERROR: 91FFE0700E80619CEB73235CA88E23E377514E00 could not be locally
signed.
  -> Locally signing key 6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78...
==> ERROR: 6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78 could not be locally
signed.
  -> Locally signing key 8C3F8ABD30DF2AFAC6C039A45906AB5E9AAD00E5...
==> ERROR: 8C3F8ABD30DF2AFAC6C039A45906AB5E9AAD00E5 could not be locally
signed.
  -> Locally signing key 3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40...
==> ERROR: 3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40 could not be locally
signed.
  -> Locally signing key D3EAD7F9D076EB9AF650149DA170D6A0B669E21A...
==> ERROR: D3EAD7F9D076EB9AF650149DA170D6A0B669E21A could not be locally
signed.
  -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> ERROR: AB19265E5D7D20687D303246BA1DFB64FFF979E7 could not be locally
signed.
  -> Locally signing key 2DFFE834A07FC9A06F4AAAF444BC7D7F49B9A5A4...
==> ERROR: 2DFFE834A07FC9A06F4AAAF444BC7D7F49B9A5A4 could not be locally
signed.
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
==> ERROR: 0E8B644079F599DFC1DDC3973348882F6AC6A4C2 could not be locally
signed.
  -> Locally signing key DE00C1C500DDCC4AAF06EA99B238ADC68BE13357...
==> ERROR: DE00C1C500DDCC4AAF06EA99B238ADC68BE13357 could not be locally
signed.
  -> Locally signing key 1285E187FDE4EF93444F75F9A3CDCDE939A264EE...
==> ERROR: 1285E187FDE4EF93444F75F9A3CDCDE939A264EE could not be locally
signed.
  -> Locally signing key C90B027951EB38B7FA25E2E73052D5B24E10CAF9...
==> ERROR: C90B027951EB38B7FA25E2E73052D5B24E10CAF9 could not be locally
signed.
  -> Locally signing key ACFD80729A8CE443544A2C7ADF672798D2CF9D7D...
==> ERROR: ACFD80729A8CE443544A2C7ADF672798D2CF9D7D could not be locally
signed.
  -> Locally signing key CB6E213A349B8DF9E96B622AC3F4FFCF3EAE8697...
==> ERROR: CB6E213A349B8DF9E96B622AC3F4FFCF3EAE8697 could not be locally
signed.
  -> Locally signing key 38D33EF29A7691134357648733466E12EC7BA943...
==> ERROR: 38D33EF29A7691134357648733466E12EC7BA943 could not be locally
signed.
  -> Locally signing key BFA8008A8265677063B11BF47171986E4B745536...
==> ERROR: BFA8008A8265677063B11BF47171986E4B745536 could not be locally
signed.
  -> Locally signing key C9297FDFA44D416DEBF0948365BDCFF76F0F94D7...
==> ERROR: C9297FDFA44D416DEBF0948365BDCFF76F0F94D7 could not be locally
signed.
  -> Locally signing key B70107A3E6A744682A22208D7D19D1AFDD312BBE...
==> ERROR: B70107A3E6A744682A22208D7D19D1AFDD312BBE could not be locally
signed.
  -> Locally signing key 99195DD3BB6FE10A2F36ED8445698744D4FFBFC9...
==> ERROR: 99195DD3BB6FE10A2F36ED8445698744D4FFBFC9 could not be locally
signed.
  -> Locally signing key 8CD7227DA467D3ED404F6EEFDB590F739E5AC458...
==> ERROR: 8CD7227DA467D3ED404F6EEFDB590F739E5AC458 could not be locally
signed.
  -> Locally signing key 6A02EFFEEE2464AD376E05A81A677766EBE25A09...
==> ERROR: 6A02EFFEEE2464AD376E05A81A677766EBE25A09 could not be locally
signed.
  -> Locally signing key EBDF658E5A72B7B8BD5FB0F46DB12E6B3CE04A86...
==> ERROR: EBDF658E5A72B7B8BD5FB0F46DB12E6B3CE04A86 could not be locally
signed.
  -> Locally signing key 916FFBC76D2E641BA416BA53364F4E1483446AC5...
==> ERROR: 916FFBC76D2E641BA416BA53364F4E1483446AC5 could not be locally
signed.
  -> Locally signing key 0EF5D686FC13831A54874C275FC681B4822DABB0...
==> ERROR: 0EF5D686FC13831A54874C275FC681B4822DABB0 could not be locally
signed.
~~~


~~~
$ sudo pacman -S parabola-keyring archlinux-keyring
warning: parabola-keyring-20170912-1 is up to date -- reinstalling
warning: archlinux-keyring-20171130-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (2) archlinux-keyring-20171130-1  parabola-keyring-20170912-1

Total Installed Size:  1.01 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
(2/2) checking keys in keyring
            [################################################] 100%
(2/2) checking package integrity
            [################################################] 100%
error: parabola-keyring: signature from "Isaac David
<isacdaavid at isacdaavid.info>" is unknown trust
:: File /var/cache/pacman/pkg/parabola-keyring-20170912-1-any.pkg.tar.xz
is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: archlinux-keyring: signature from "Christian Hesse (Arch Linux
Package Signing) <arch at eworm.de>" is unknown trust
:: File
/var/cache/pacman/pkg/archlinux-keyring-20171130-1-any.pkg.tar.xz is
corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP
signature))
Errors occurred, no packages were upgraded.
~~~


III. Next steps

Any suggestions welcome! :)

I don't mind re-doing something I've done, be it in different order or
if you recommend that it's worth trying again.

Also, if there's a way to not remove all pkg.tar.xz from my cache, but
only the keyring ones, then yes I don't mind doing that (or educate me
on why I shouldn't be scared of zapping all my pkgs cache :)  )

Thanks again for your help!

Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/assist/attachments/20171206/0ecd62a1/attachment-0001.bin>

More information about the Assist mailing list