34

I recently switched to an arch based distro call Manjaro.

I have problems installing some packages from the aur arch repository

    curl-7.54.0.tar.gz ... Passed
    curl-7.54.0.tar.gz.asc ... Skipped
==> Verifying source file signatures with gpg...
    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)
==> ERROR: One or more PGP signatures could not be verified!

What do I need to do to fix this?

nelaaro
  • 13,149
  • 30
  • 84
  • 111

1 Answers1

46

Once you have local gpg key pair, you can import the unknown key to your local users set of keys. In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys
gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created
gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key

or 

gpg --full-gen-key

What the docs say.

   --generate-key
   --gen-key
          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the
          ‘openpgp-revocs.d’ directory below the GnuPG home directory.

   --full-generate-key
   --full-gen-key
          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.

          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.
nelaaro
  • 13,149
  • 30
  • 84
  • 111
  • Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...? – jcora Feb 14 '18 at 11:44
  • 5
    @jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk. – nelaaro Feb 14 '18 at 13:16
  • well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something? – jcora Feb 15 '18 at 15:07
  • I am using the Manjor distro, which was probably out of date, and causing issues for me. – nelaaro Feb 15 '18 at 19:09
  • @nelaaro, could give some detail about _Once you have local gpg key pair_? Is it necessary to have such local key pair for the `--recv-keys` command to work? – Enlico Aug 08 '18 at 07:07
  • 1
    @EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. `--full-gen-key` ensures that all files are created for you to be able to import keys to your local key ring. – nelaaro Aug 13 '18 at 10:01
  • `gpg --full-gen-key` is not really needed. Correct me if I'm wrong. @jcora `pacman` and `makepkg` use different [keyrings](http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/). So usually AUR keys are not automatically included. – x-yuri Feb 12 '19 at 10:17
  • @x-yuri you correct, `--full-gen-key` was not needed. Yes pacman and makepkg use different keyrings. What we are doing is adding another keyring for the local user to ensure that things work when makepkg, pacman etc ask is this key trusted. The local user keystore is checked as well as their own key stores. – nelaaro Feb 12 '19 at 11:24