Giovanni 'ItachiSan' Santini via arch-general <arch-general@xxxxxxxxxxxxx> on Sun, 2016/07/03 10:09: > Good morning, > some days ago I found a nice service called "Open Build Service", which > allows all kind of packagers, including also Arch ones, to have > different repos of their packages, having them built online. > This is awesome for me, as some of them require heavy building time. > > I fought a bit against the service, in order to make the GPG public key > to be uploaded to a key server, in order to allow users to add it > properly to pacman-key. > > Now, I am facing a really strange issue: I've added the key to pacman > keyring, using: > > sudo pacman-key -r 05E0A765C649DE23 > sudo pacman-key --lsign-key 05E0A765C649DE23 > > Database syncing works properely and the signature is verified... > But for packages it is not. > Every time it gives an error as this: > > $pkgname-$pkgver $pkgsize $dw_speed 00:00 [--------------------] 100% > (1/1) checking keys in keyring [--------------------] 100% > error: $pkgname: unsupported signature format(0/1) checking package > integrity > (1/1) checking package integrity [--------------------] 100% > error: GPGME error: No data > > I tried to download the public key and adding to my personal GPG > keyring. Verifying the packages signatures works perfectly. To try this, > I fetched the .sig file online and used the GPG --verify command. > Any hints? > > Now, the needed data. > My personal repo configuration for pacman > > [home_ItachiSan_archlinux_Arch_Extra] > Server = > http://download.opensuse.org/repositories/home:/ItachiSan:/archlinux/Arch_Extra/$arch > > The public key mentioned above: > http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search=0x05E0A765C649DE23 > or > http://keyserver.ubuntu.com/pks/lookup?op=vindex&search=home%3AItachiSan&fingerprint=on > > Sorry to be so verbose. :< > Thanks in advance! Looks like the build service produces invalid db files, home_ItachiSan_archlinux_Arch_Extra.db in your case. The db file is just a simple tar archive, compressed with gzip. Unzip it and you will find a directory for every package. Every directory contains the file 'desc' at least. Within the file you should find a line '%PGPSIG%', followed by a single line containing the signature. Looks like the build service breaks this line, which confuses pacman. To verify you can extract the db file, make your changes and create a new one. Do not forget to remove the db signature (or resign). BTW, It's pretty simple why the db signature is valid: It is used as-is. The package signatures in your repository are useless, though. The signatures are stored withing the db file, as seen above. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
Attachment:
pgp1rEDXiQ6rq.pgp
Description: OpenPGP digital signature
