[Dev] keyring problem

[bill-auger]

when running from the LiveISOs, certain packages fail to install due to
unknown trust / invalid signature - i suspect this is the root cause or
at least an indicator of the broken ISOs from last year and perhaps some
other similar troubles with packages on which the key should be valid
but require resetting the keyring manually  - the problem is not
specific to the ISOs though but they exhibit this behavior in the fresh
default state - i have narrowed it down to some small test cases that
should expose the problem  on any parabola system - if anyone can,
please verify these on your installed system (enable pcr-testing)

on a sane system this command succeeds:

$ sudo pacman -S wbar --noconfirm

as well these commands:

$ sudo pacman-key --init
$ sudo pacman-key --populate parabola
$ sudo pacman -S wbar --noconfirm

but this sequence of commands fails to install the package :

$ sudo rm -rf /etc/pacman.d/gnupg/
$ sudo pacman-key --init
$ sudo pacman-key --populate parabola
$ sudo pacman -S wbar --noconfirm

and this this sequence of commands fails also:

$ sudo rm -rf /etc/pacman.d/gnupg/
$ sudo pacman-key --init
$ sudo pacman-key --populate parabola
$ sudo pacman-key --refresh-keys
$ sudo pacman -S wbar --noconfirm

and this sequence of commands will succeed installing the package:

$ sudo rm -rf /etc/pacman.d/gnupg/
$ sudo pacman-key --init
$ sudo pacman -S wbar --noconfirm
$ sudo pacman-key --populate parabola
$ sudo pacman -S wbar --noconfirm

the first pacman command here actually plays a role in that it imports
the obviously missing key but then fails to verify the package

....
:: Import PGP key 2048R/3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40,
"bill-auger <EMAIL_1>", created: 2016-11-30? [Y/n]
(1/1) checking package integrity
error: wbar: signature from "bill-auger <EMAIL_2>" is unknown trust
....

then the `pacman-key --populate` command signs the key then the second
pacman command succeeds - this indicates that the signing key is not in
the parabola-keyring package - but it is, though you may notice two
different email addresses so i suspect that one of the IDs is not known
to the keyring - but they are both IDs on the same key and the key is
signed by the `pacman-key --populate` command even without importing it
explicitly as above - demonstrated with these commands:

$ sudo rm -rf /etc/pacman.d/gnupg/
$ sudo pacman-key --init
$ sudo pacman-key --populate parabola
....
  -> Locally signing key 3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40...
....

i can only assume i have found a bug because i would think pacman should
handle this situation but i dont know well enough what the intended
behavior is to investigate further - for example, what should happen
when pacman downloads a package signed by an unknown key as above -
should that package have been validated without being signed by the
local keyring master as is done in the `pacman-key --populate` command?
- should it have been automatically signed by the local keyring master
and then validated? - or is it expected behavior to reject the package?
in which case why would it bother asking to import the key?

note that the signing key is mine so i can fiddle with it if necessary -
i suspect that rebuilding the parabola-keyring package would resolve
this problem but i do not want to attempt that until i discover why this
is happening so that i know the best procedure to use on the ISOs to
make them viable for longer periods of time - perhaps the keyring should
be rebuilt more regularly on a cron task or maybe pacman needs a patch
to handle this without flaking out - i dunno yet - but i could use some
help nailing this down from someone more experienced with pacman's innerds

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20171229/60978895/attachment.sig>