when running from the LiveISOs, certain packages fail to install due to unknown trust / invalid signature - i suspect this is the root cause or at least an indicator of the broken ISOs from last year and perhaps some other similar troubles with packages on which the key should be valid but require resetting the keyring manually - the problem is not specific to the ISOs though but they exhibit this behavior in the fresh default state - i have narrowed it down to some small test cases that should expose the problem on any parabola system - if anyone can, please verify these on your installed system (enable pcr-testing)
on a sane system this command succeeds: $ sudo pacman -S wbar --noconfirm as well these commands: $ sudo pacman-key --init $ sudo pacman-key --populate parabola $ sudo pacman -S wbar --noconfirm but this sequence of commands fails to install the package : $ sudo rm -rf /etc/pacman.d/gnupg/ $ sudo pacman-key --init $ sudo pacman-key --populate parabola $ sudo pacman -S wbar --noconfirm and this this sequence of commands fails also: $ sudo rm -rf /etc/pacman.d/gnupg/ $ sudo pacman-key --init $ sudo pacman-key --populate parabola $ sudo pacman-key --refresh-keys $ sudo pacman -S wbar --noconfirm and this sequence of commands will succeed installing the package: $ sudo rm -rf /etc/pacman.d/gnupg/ $ sudo pacman-key --init $ sudo pacman -S wbar --noconfirm $ sudo pacman-key --populate parabola $ sudo pacman -S wbar --noconfirm the first pacman command here actually plays a role in that it imports the obviously missing key but then fails to verify the package .... :: Import PGP key 2048R/3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40, "bill-auger <EMAIL_1>", created: 2016-11-30? [Y/n] (1/1) checking package integrity error: wbar: signature from "bill-auger <EMAIL_2>" is unknown trust .... then the `pacman-key --populate` command signs the key then the second pacman command succeeds - this indicates that the signing key is not in the parabola-keyring package - but it is, though you may notice two different email addresses so i suspect that one of the IDs is not known to the keyring - but they are both IDs on the same key and the key is signed by the `pacman-key --populate` command even without importing it explicitly as above - demonstrated with these commands: $ sudo rm -rf /etc/pacman.d/gnupg/ $ sudo pacman-key --init $ sudo pacman-key --populate parabola .... -> Locally signing key 3954A7AB837D0EA9CFA9798925DB7D9B5A8D4B40... .... i can only assume i have found a bug because i would think pacman should handle this situation but i dont know well enough what the intended behavior is to investigate further - for example, what should happen when pacman downloads a package signed by an unknown key as above - should that package have been validated without being signed by the local keyring master as is done in the `pacman-key --populate` command? - should it have been automatically signed by the local keyring master and then validated? - or is it expected behavior to reject the package? in which case why would it bother asking to import the key? note that the signing key is mine so i can fiddle with it if necessary - i suspect that rebuilding the parabola-keyring package would resolve this problem but i do not want to attempt that until i discover why this is happening so that i know the best procedure to use on the ISOs to make them viable for longer periods of time - perhaps the keyring should be rebuilt more regularly on a cron task or maybe pacman needs a patch to handle this without flaking out - i dunno yet - but i could use some help nailing this down from someone more experienced with pacman's innerds
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
