==> WARNING: Skipping verification of source file PGP signatures

dagelf · April 24, 2024, 6:59am

This comes up on too many installs… without a good way to remedy it and verify downloads. Bypassing it should not be a default…

I looked at other posts about this but they’re all just related to specific installs. Why can’t we just get the right keys automatically?

IDKnix · April 24, 2024, 11:56am

honestly, I don’t mind it because really, the chance of the files to be different are low. But that just my opinion. Are you using yay? It comes up for me on there. If so, try using aura or octopi if possible.

dagelf · April 25, 2024, 1:48pm

There is a sha verification… but you know how it works. Security in layers. Maybe it was just too much of a headache to implement? Or maybe its viewed as pointless if it just fetches the key just before the package… but IF someone wanted to take over your system, it would be trivial for them to just serve you a wrong sha and package, (unless they’re pulled from different places, haven’t checked) - but it would be much harder to serve you a wrong key too, and sign the package too.

I0F · April 25, 2024, 2:36pm

What is a package that does that?

dalto · April 25, 2024, 2:43pm

Can you provide a specific example?

flyingcakes · April 25, 2024, 2:57pm

See this issue:

github.com/Jguer/yay

yay imports new PGP key after failed signature check

opened 05:24PM - 17 May 23 UTC

closed 07:54AM - 10 Jul 23 UTC

drws

Type: Bug Status: Confirmed

### Affected Version yay v12.0.4 - libalpm v13.0.2 ### Describe the bug … When installing an AUR package that needs importing of a new PGP key, yay/pacman fails the signature checking at first (because of a missing key), but then continues on with the installation (regardless of an integrity error) and only then imports the relevant PGP key, successfully builds the package and installs it. ### Reproduction Steps 1. Run `yay -Syu ffmpeg-headless` (for example) 2. yay downloads the PKGBUILD, processes it and starts making package 3. It fails in the source verification step - see _Output_ below ### Expected behavior PGP key importing is done before any integrity checks. ### Output ```sh $ yay -Syu ffmpeg-headless ... ==> Verifying source file signatures with gpg... ffmpeg git repo ... FAILED (unknown public key B18E8928B3948D64) ==> ERROR: One or more PGP signatures could not be verified! -> error downloading sources: .../yay/build/ffmpeg-headless context: error downloading sources: .../yay/build/ffmpeg-headless context: exit status 1 :: Remove make dependencies after install? [y/N] :: (1/1) Parsing SRCINFO: ffmpeg-headless gpg: error reading key: No public key :: PGP keys need importing: -> DD1EC9E8DE085C629B3E1846B18E8928B3948D64, required by: ffmpeg-headless :: Import? [Y/n] :: Importing keys with gpg... gpg: key B18E8928B3948D64: public key "Michael Niedermayer (key used for git commits) <michael@niedermayer.cc>" imported gpg: Total number processed: 1 gpg: imported: 1 :: Synchronizing package databases... core is up to date extra is up to date community is up to date resolving dependencies... looking for conflicting packages... (installation succeeds afterwards) ```

If yay does checks before importing key, it’ll always fail and won’t build the package. So it skips integrity check after download if the keys need importing.

Nonetheless, it will check files before building. So there shouldn’t be integrity related issues.

PS. I see this warning on many packages and instead just use Paru.