...is marginal trust... issue

df8oe · May 15, 2021, 4:24pm

I followed everything in the FAQ but after instaling new keyring, populating and refreshing the isue persists:

Fehler: python-wxpython: signature from "Morten Linderud <morten@linderud.pw>" is marginal trust
:: Datei /var/cache/pacman/pkg/python-wxpython-4.1.1-1-x86_64.pkg.tar.zst ist beschädigt (Ungültiges oder beschädigtes Paket (PGP-Signatur)).
Soll die Datei entfernt werden? [J/n] n
Fehler: Konnte den Vorgang nicht durchführen (Ungültiges oder beschädigtes Paket (PGP-Signatur))
Fehler sind aufgetreten, keine Pakete wurden aktualisiert.

How can I trust signature from “Morten Linderud morten@linderud.pw” ? Or is it better to not trust?

Kresimir · May 15, 2021, 4:46pm

Well, Mr. Linderud is an Arch TU (trusted user). So, if you’re using Arch Linux, it is assumed you trust him, since he is responsible for packaging software you’re using.

joekamprad · May 15, 2021, 9:07pm

just see you try all that already

jonathon · May 15, 2021, 9:14pm

Which version of gnupg do you have installed? There was a version removed from the testing repo due to a change in how GNUPG processes trust.

joekamprad · May 15, 2021, 10:06pm

last resort is to remove all keys and set them back:
https://wiki.archlinux.org/title/Pacman/Package_signing#Resetting_all_the_keys

df8oe · May 16, 2021, 5:53am

I have gnupg 2.3.1-1 installed. What I have already done:

reinstalling archlinux-keyring
stepped through pacman-key --init; pacman-key --populate archlinux endeavouros; pacman-key --refresh-keys; pacman -Syyu
… issue persists.

There are no errors importing keys during the refresh-keys run.

After that I tried deleting folder /etc/pacman.d/gnupg followed stepping through 2) of above - but the issue still persists. Pacman does not trust the key which is used for signing python-wxpython. Any further ideas?

EDIT: This is the output for the key of the Arch User which is affected:
gpg --homedir /etc/pacman.d/gnupg/ --list-keys morten.linderud gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis /etc/pacman.d/gnupg’
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
pub rsa4096 2014-09-05 [SC]
C100346676634E80C940FB9E9C02FF419FECBE16
uid [vollständig] Morten Linderud morten@linderud.pw
uid [vollständig] Morten Linderud mcfoxax@gmail.com
uid [ marginal ] Morten Linderud foxboron@archlinux.org
uid [ marginal ] Morten Linderud morten.linderud@fribyte.uib.no
uid [ marginal ] Morten Linderud morten.linderud@student.uib.no
sub rsa4096 2014-09-05 [E]
sub rsa4096 2018-11-13 [S]
sub rsa4096 2018-11-26 [A]`

EDITEDIT:
and this is the output of gpg when I look at the details of the key:
`gpg> list

pub rsa4096/9C02FF419FECBE16
erzeugt: 2014-09-05 verfällt: niemals Nutzung: SC
Vertrauen: unbekannt Gültigkeit: vollständig
sub rsa4096/DF2502D0C726D1C0
erzeugt: 2014-09-05 verfällt: niemals Nutzung: E
Der folgende Schlüssel wurde am 2017-12-03 von RSA Schlüssel 9C02FF419FECBE16 Morten Linderud morten@linderud.pw widerrufen
sub rsa4096/41A82494FF2B717B
erzeugt: 2015-06-03 widerrufen: 2017-12-03 Nutzung: E
sub rsa4096/E742683BA08CB2FF
erzeugt: 2018-11-13 verfällt: niemals Nutzung: S
sub rsa4096/06F6BDC766FCDC53
erzeugt: 2018-11-26 verfällt: niemals Nutzung: A
[vollständig] (1). Morten Linderud morten@linderud.pw
[vollständig] (2) Morten Linderud mcfoxax@gmail.com
[ marginal ] (3) Morten Linderud foxboron@archlinux.org
[ marginal ] (4) Morten Linderud morten.linderud@fribyte.uib.no
[ marginal ] (5) Morten Linderud morten.linderud@student.uib.no`

As you see trust is “unknown” and I think that is the reason why pacman stops upgrading the affected packages.

pebcak · May 16, 2021, 6:54am

I just tried and installed the package without a hitch.
Could you try refreshing your mirrors and see if that helps?

df8oe · May 16, 2021, 7:08am

I am using “testing” repositories. May that be the cause?

pebcak · May 16, 2021, 7:10am

Not sure, but I don’t think it should be.

df8oe · May 16, 2021, 7:14am

What version of gnupg do you use? BTW: Refreshing mirrors does noch change anything.

pebcak · May 16, 2021, 7:17am

Mine is at 2.2.27-1 on a fully updated system with stable repos.

df8oe · May 16, 2021, 7:23am

I think we are approaching. Mine is 2.3.1-1 and I cannot find it yet in any repository - but I do have installed it using normal upgrade processes! How can I obtain information from which reposioiry a locally installed package origins? I try to downgrade and repeat…

df8oe · May 16, 2021, 7:24am

That was the issue! Downgrading gnupg solves the issue. But where do I get the buggy version from?? It is not in recent testing repos.

pebcak · May 16, 2021, 7:26am

That is indeed very odd as gnupg 2.3.1-1 doesn’t seem to be in the Testing.

pebcak · May 16, 2021, 7:30am

Here is another one with the same issue:

https://bbs.archlinux.org/viewtopic.php?pid=1972115

Looks like gnupg 2.3.1-1 has been pulled back from Testing.

df8oe · May 16, 2021, 7:32am

jonathon some posts earlier already mentioned it but I have not given it the neccessary rating… You and jonathan pushed me on the right path. Thank you for all your help!

joekamprad · May 16, 2021, 8:00pm

system · May 18, 2021, 8:01pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.