Error importing keys with AUR kernels

ajgringo619 · March 17, 2023, 4:12pm

I’ve tried adding a couple of different 5.15 LTS kernels from the AUR, and both fail when trying to import keys (getting a “No data” error). The solution I was given was to manually add the keys like this:

gpg --recv-keys ABAF11C65A2970B130ABE3C479BE3E4300411886

However, this also fails:

Mar 17 08:52:11 dss-endeavouros systemd[1191]: Started GnuPG network certificate management daemon.
Mar 17 08:52:11 dss-endeavouros dirmngr[6109]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Certificate expired
Mar 17 08:52:11 dss-endeavouros dirmngr[6109]: permanently loaded certificates: 139
Mar 17 08:52:11 dss-endeavouros dirmngr[6109]:     runtime cached certificates: 0
Mar 17 08:52:11 dss-endeavouros dirmngr[6109]:            trusted certificates: 139 (139,0,0,0)
Mar 17 08:52:12 dss-endeavouros dirmngr[6109]: resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.9'
Mar 17 08:52:12 dss-endeavouros dirmngr[6109]: resolve_dns_addr for 'keyserver.ubuntu.com': '162.213.33.8'
Mar 17 08:52:12 dss-endeavouros dirmngr[6109]: number of system provided CAs: 159
Mar 17 08:52:12 dss-endeavouros dirmngr[6109]: error accessing 'https://162.213.33.9:443/pks/lookup?op=get&options=mr&search=0xABAF11C65A2970B130ABE3C479BE3E4300411886': http status 404
Mar 17 08:52:12 dss-endeavouros dirmngr[6109]: command 'KS_GET' failed: No data

Any idea what I’m doing wrong? The kernels themselves build fine if I skip the importing of the keys.

pebcak · March 17, 2023, 6:14pm

You could perhaps try downloading the key file from:

https://keys.openpgp.org/search?q=ABAF11C65A2970B130ABE3C479BE3E4300411886

and the manually import it with gpg --import

HTH

ajgringo619 · March 17, 2023, 6:19pm

Well, it seemed to import the key, but I’m still getting prompted to import the key with yay:

$ gpg --import ABAF11C65A2970B130ABE3C479BE3E4300411886 
gpg: key 79BE3E4300411886: no user ID
gpg: Total number processed: 1

$ yay -S linux-lts-515-git linux-lts-515-git-headers
[sudo] password for ajgringo619: 
:: Checking for conflicts...
:: Checking for inner conflicts...
[Repo Make:3]  bc-1.07.1-4  xmlto-0.0.28-4  python-sphinx_rtd_theme-1.2.0-2
[Aur:2]  linux-lts-515-git-5.15.102-1 (linux-lts-515-git linux-lts-515-git-headers)

:: Remove make dependencies after install? [y/N] 
  1 linux-lts-515-git (linux-lts-515-git linux-lts-515-git-headers) (Installed) (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> 1
:: Deleting (1/1): /home/ajgringo619/.cache/yay/linux-lts-515-git
:: (1/1) Downloaded PKGBUILD: linux-lts-515-git
  1 linux-lts-515-git (linux-lts-515-git linux-lts-515-git-headers) (Installed) (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==> 
:: (1/1) Parsing SRCINFO: linux-lts-515-git (linux-lts-515-git linux-lts-515-git-headers)

:: PGP keys need importing:
 -> ABAF11C65A2970B130ABE3C479BE3E4300411886, required by: linux-lts-515-git (linux-lts-515-git linux-lts-515-git-headers)
:: Import? [Y/n] 
:: Importing keys with gpg...
gpg: keyserver receive failed: No data
removing untracked AUR files from cache...
:: Cleaning (1/1): /home/ajgringo619/.cache/yay/linux-lts-515-git
 -> problem importing keys

pebcak · March 17, 2023, 6:24pm

I guess you need to download the .asc file first and then:

gpg --import ABAF11C65A2970B130ABE3C479BE3E4300411886.asc

ajgringo619 · March 17, 2023, 6:27pm

Made no difference. Could this be a server issue?

pebcak · March 17, 2023, 6:28pm

Might be… not quite sure…

pebcak · March 17, 2023, 6:30pm

Have you tried the other key from Greg Kroah-Hartman and see if it would work?

gpg --recv-keys 647F28654894E3BD457199BE38DBBDC86092693E

From the PKGBUILD:

validpgpkeys=(
  'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
  '647F28654894E3BD457199BE38DBBDC86092693E'  # Greg Kroah-Hartman
)

So perhaps one key would be enough?

ajgringo619 · March 17, 2023, 6:37pm

After switching to the keys.openpgp.org keyserver, it looks like both keys are being installed. But the package still fails. For some reason, the Linus key just doesn’t want to install properly:

$ gpg --list-keys
/home/ajgringo619/.gnupg/pubring.kbx
------------------------------------
pub   rsa4096 2012-03-13 [SC]
      6FC05581A37D71FCECE165DB5BE41E162CD6358E
uid           [ unknown] Charles Kerr <charles.kerr@canonical.com>
sub   rsa2048 2012-07-24 [S]

pub   rsa4096 2011-09-23 [SC]
      647F28654894E3BD457199BE38DBBDC86092693E
uid           [ unknown] Greg Kroah-Hartman <gregkh@linuxfoundation.org>
uid           [ unknown] Greg Kroah-Hartman <gregkh@kernel.org>
uid           [ unknown] Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>
sub   rsa4096 2011-09-23 [E]

pub   rsa4096 2014-12-15 [C] [expires: 2025-07-21]
      EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid           [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub   rsa4096 2021-09-17 [S] [expires: 2023-09-17]

Why having one or the other kernel key is not enough, I could not say. This also happens on the AUR package linux-lts515, so this problem is not package-specific.

pebcak · March 17, 2023, 6:42pm

What if you download the PKGBUILD, edit it and remove Linus’ key check so only the key for Greg gets checked? Then use makepkg -si in the same directory where the PKGBUILD resides.

Not sure if it would would work but perhaps you are up for trying?

ajgringo619 · March 17, 2023, 6:44pm

Well, since the package itself builds just fine when skipping the key import, I’m not sure what I’d accomplish with this. I posted a comment on the package maintainer’s site; hopefully they’ll have some insight.

Thanks for all the help.

ajgringo619 · March 17, 2023, 7:06pm

Found the solution from https://www.kernel.org/signature.html:

gpg2 --locate-keys torvalds@kernel.org

system · March 19, 2023, 7:06pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.