FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 11-05-2011, 11:11 PM
Thomas Bächler
 
Default Problem automatically importing key for signed package.

Am 06.11.2011 00:40, schrieb Peter Lewis:
> error: choqok: key "22AD5874F39D989F" is unknown
> error: failed to commit transaction (invalid or corrupted package (PGP signature))
> Errors occurred, no packages were upgraded.

I don't know, maybe it uses a broken keyserver.

Note that this is not the final solution. In the near future, Arch users
will automatically have all the keys of developers and TUs set up with
trust levels configured, without having to import them from keyservers.
I hope this is done soon.
 
Old 11-06-2011, 09:36 AM
Peter Lewis
 
Default Problem automatically importing key for signed package.

Ah, thanks guys.


On Sat, 05 Nov 2011, Myra Nelson wrote:
> You need to import your key into the pacman-key database with sudo
> pacman-key --keysever pgp.mit.edu -r 22AD5874F39D989F, then everything
> shoud work fine.

I knew that this was an option, but wasn't sure why everyone else's key seemed
to be automatically pulled in by pacman during installs.


> You can also put keyserver hkp://pgp.mit.edu in
> /etc/pacman.d/gnupg/gnupg.conf and pacman-key will use pgp.mit.eduautomatically.

But yes, this led me to to it. I had previously thought that all the keyservers
synced with each other at some point, but apparently this isn't the case with
keys.gnupg.net (at least). Sticking my key on that keyserver means that it
behaves as expected.

Thanks.


On Sun, 06 Nov 2011, Thomas Bächler wrote:
> I don't know, maybe it uses a broken keyserver.

Yeah, I wonder what the expected behaviour is regarding syncing of keyservers.
I'm sure I read somewhere that uploading to one was supposed to be sufficient.


> Note that this is not the final solution. In the near future, Arch users
> will automatically have all the keys of developers and TUs set up with
> trust levels configured, without having to import them from keyservers.
> I hope this is done soon.

Yeah, I'm looking forward to this too. It's been good watching this get
implemented.

Cheers,

Pete.
 
Old 11-06-2011, 11:24 AM
"Mantas M."
 
Default Problem automatically importing key for signed package.

On Sun, Nov 06, 2011 at 10:36:17AM +0000, Peter Lewis wrote:
> But yes, this led me to to it. I had previously thought that all the keyservers
> synced with each other at some point, but apparently this isn't the case with
> keys.gnupg.net (at least). Sticking my key on that keyserver means that it
> behaves as expected.
>
> [...]
>
> Yeah, I wonder what the expected behaviour is regarding syncing of keyservers.
> I'm sure I read somewhere that uploading to one was supposed to be sufficient.

It should be sufficient in theory - once a key is uploaded to one server, it would propagate to others in several minutes.

Unless some servers are broken. For example: [1]

> Also, there is a bug in older versions of the SKS key server code that impairs synchronization from other, non-SKS servers but not synchronization to others. Among the servers affected are cryptonomicon.mit.edu (pgp.mit.edu, pgpkeys.mit.edu, www.us.pgp.net), pks.gpg.cz (sks.ms.mff.cuni.cz), and the.earth.li (wwwkeys.uk.pgp.net), all of which have been removed from the above list of servers. It has not yet been determined if the problem relates to which version of the SKS server software is used or is a result of whether the server is or is not a member of the SKS pool.

(One of the keyservers pointed to by 'keys.gnupg.net' happens to be 'pks.gpg.cz'.)

Even with the latest software, the SKS pool status page [2] shows some keyservers missing 10, 30, even ~200 keys.

There are at least two standard ways of publishing PGP keys as DNS records [3], but I'm not sure if any software besides GnuPG supports them.

[1]: http://www.rossde.com/PGP/pgp_keyserv.html
[2]: http://sks-keyservers.net/status/
[3]: http://www.gushi.org/make-dns-cert/HOWTO.html

--
Mantas M.
 

Thread Tools




All times are GMT. The time now is 07:40 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org