Hyperbola

**anon34286** · 2021-12-13 08:27:35

anon34286
Guest

Topic: gpg errors verification of package signatures

different times gave different results | i tryed to chang keyservers in /etc/pacman.d/gnupg/gpg.conf
on usb live:
hkp://keyserver.ubuntu.com:
date ...
pacman-key --init
mount -o remount,size=100M,noatime /etc/pacman.d/gnupg
pacman-key populate hyperbola arch
...
pacman-key --refresh-keys
gpg: refreshing 77 keys from hkp://keyserver.ubuntu.com
gpg: key x1: x signature not checked due to a missing keys
gpg: key x1: "name surname <x@x.x>" x new signatures
gpg: key x2: x signature not checked due to a missing keys
gpg: key x2: "name surname <x@x.x>" x new signatures
gpg: key x3: x signature not checked due to a missing keys
gpg: key x3: "name surname <x@x.x>" x new signatures
...
gpg: Total number processed: 75
gpg: new user IDs: 19
gpg: new subkeys: 4
gpg: new signatures: 4117
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
...
gpg: public key 16x is 3037 days newer than the signature
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 61 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 61 signed: 8 trust: 0-, 0q, 0n, 61m, 0f, 0u
gpg: next trustdb cheak due at 2022-02-13

hkp://keyring.debian.org:
pacman-key --refresh-keys
gpg: refreshing 77 keys from hkp://keyring.debian.org
gpg: no valid openPGP data found.
gpg: key 16x1: 101 signature not checked due to a missing keys
gpg: key 16x1: "Felix Yan <felixonmars@archlinux.org>" 2 new missing IDs
gpg: key 16x1: "Felix Yan <felixonmars@archlinux.org>" 103 new signatures
gpg: no valid openPGP data found.
gpg: no valid openPGP data found.
gpg: Total number processed: 1
gpg: new user IDs: 2
gpg: new signatures: 103
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x1: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
gpg: key 16x2: no user ID for key signature packet of class 10
...
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 62 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 62 signed: 5 trust: 0-, 0q, 0n, 62m, 0f, 0u
gpg: next trustdb cheak due at 2022-12-30
==> ERROR: A specified local key could not be updated from a keyserver.

**sagaracharya** · 2021-12-13 08:58:17

sagaracharya
Guest

Re: gpg errors verification of package signatures

It just means that all keys aren't available on both keyservers. A couple are available here and there.

What are you installing? v0.3.1 or v0.4?

@throgh Do you think we should atleast shift all hyperbola signing keys to hyperbola's own servers so we don't trust keyservers anymore? Such problems would vanish for hyperbola's dev public keys.

**rachad** · 2021-12-13 12:53:33

rachad
Guest

Re: gpg errors verification of package signatures

the only way to solve it is by making a small change in /etc/pacman.conf
SigLevel = Never

**throgh** · 2021-12-13 13:29:49

throgh
Package Development and Community Coordinator
Offline

From: Planet Earth
Registered: 2017-12-28
Posts: 2,662

Re: gpg errors verification of package signatures

sagaracharya wrote:

@throgh Do you think we should atleast shift all hyperbola signing keys to hyperbola's own servers so we don't trust keyservers anymore? Such problems would vanish for hyperbola's dev public keys.

To host an own keyserver is a little bit more complicated. First we need to find a fitting application especially for that. When looking at the development available I get mostly implementations with Rust or Go, which would be not possible or even more complicated (in regards for Go as language).

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

**sagaracharya** · 2021-12-13 13:42:34

sagaracharya
Guest

Re: gpg errors verification of package signatures

throgh wrote:

To host an own keyserver is a little bit more complicated. First we need to find a fitting application especially for that. When looking at the development available I get mostly implementations with Rust or Go, which would be not possible or even more complicated (in regards for Go as language).

I'm not suggesting hosting a keyserver. Just having each member's public key as a static page on website like my public key at
https://designman.org/sagar/static/saga … ic_key.txt

Then one can do something like

curl https://designman.org/sagar/static/sagaracharya_public_key.txt | gpg --import

And perhaps edit a bit of pacman code for importing that way too. It would also improve decentralization of public keys.

**anon34286** · 2021-12-13 13:57:27

anon34286
Guest

Re: gpg errors verification of package signatures

sagaracharya wrote:

What are you installing? v0.3.1 or v0.4?

v0.3.1

**throgh** · 2021-12-13 14:22:58

throgh
Package Development and Community Coordinator
Offline

From: Planet Earth
Registered: 2017-12-28
Posts: 2,662

Re: gpg errors verification of package signatures

sagaracharya wrote:

throgh wrote:
To host an own keyserver is a little bit more complicated. First we need to find a fitting application especially for that. When looking at the development available I get mostly implementations with Rust or Go, which would be not possible or even more complicated (in regards for Go as language).
I'm not suggesting hosting a keyserver. Just having each member's public key as a static page on website like my public key at
https://designman.org/sagar/static/saga … ic_key.txt
Then one can do something like
curl https://designman.org/sagar/static/sagaracharya_public_key.txt | gpg --import 
And perhaps edit a bit of pacman code for importing that way too. It would also improve decentralization of public keys.

Well, there are some parts to be thought of and I'm not sure if this could be done right from the start. Also when editing that part of pacman, we would have even more to modify as the software is no longer compatible with upstream-logic for PGP-verification.

In general: As rachad has written to circumvent that part the configuration-option "SigLevel = Never" can be used for version 0.3.1.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

**anon34286** · 2021-12-13 17:30:36

anon34286
Guest

Re: gpg errors verification of package signatures

sagaracharya wrote:

v0.4

is this a test version?above v0.3.1 is not on the download page

**anon34286** · 2021-12-13 17:32:08

anon34286
Guest

Re: gpg errors verification of package signatures

sagaracharya wrote:

It just means that all keys aren't available on both keyservers. A couple are available here and there.

so everyone has a problem with that now?

**sagaracharya** · 2021-12-13 17:51:33

sagaracharya
Guest

Re: gpg errors verification of package signatures

anon34286 wrote:

is this a test version?above v0.3.1 is not on the download page

You can install v0.4 using v0.3.1 iso. You have to enable testing repo as mentioned at
https://forums.hyperbola.info/viewtopic … 3860#p3860

Well, the packages of v0.3.1 are really old, and few in number. v0.4 is way more functional due to many more packages, but typically if you use a desktop environment(DE), using lumina which is compulsory DE for v0.4 is a step down compared to user experience of plasma, or equivalent DEs. However, you experience the beauty of minimalism.

If you're willing to shift to window managers, v0.4 is definitely amazing and has a lot of options!

Installation instructions are the same as that of v0.3.1

Hyperbola

Milky Way v0.4.4 install medium release

gpg errors verification of package signatures

Posts: 10

1 Topic by anon34286 2021-12-13 08:27:35

Topic: gpg errors verification of package signatures

2 Reply by sagaracharya 2021-12-13 08:58:17

Re: gpg errors verification of package signatures

3 Reply by rachad 2021-12-13 12:53:33

Re: gpg errors verification of package signatures

4 Reply by throgh 2021-12-13 13:29:49

Re: gpg errors verification of package signatures

5 Reply by sagaracharya 2021-12-13 13:42:34 (edited by sagaracharya 2021-12-13 13:44:27)

Re: gpg errors verification of package signatures

6 Reply by anon34286 2021-12-13 13:57:27

Re: gpg errors verification of package signatures

7 Reply by throgh 2021-12-13 14:22:58

Re: gpg errors verification of package signatures

8 Reply by anon34286 2021-12-13 17:30:36

Re: gpg errors verification of package signatures

9 Reply by anon34286 2021-12-13 17:32:08

Re: gpg errors verification of package signatures

10 Reply by sagaracharya 2021-12-13 17:51:33 (edited by sagaracharya 2021-12-13 17:59:51)

Re: gpg errors verification of package signatures

Posts: 10