My key expired again - need archlinuxcn-keyring updated

[colinkeenan]

I've extended the key for another 3 years, and now the archlinuxcn-keyring needs to have my new signatures added.

I've also uploaded new signatures for those packages I just updated with the wrong signatures: acroread-fonts-systemwide numix-icon-theme-git updated numix-circle-icon-theme-git youtube-dl-git supertux-git.

I don't know how long it takes for my updated signatures to be propagated to all the keyservers. In order for me to get refreshing my key to work on my own system just after making the new signatures, I had to specify the keyserver to check:

sudo pacman-key --keyserver pgp.mit.edu -r 0940E3F9
sudo pacman-key --lsign-key 0940E3F9

[bianjp]

No wonder I failed to upgrade numix-icon-theme-git, numix-circle-icon-theme-git.

Hope it resolved soon.

[colinkeenan]

@bianjp, you can just run these 2 commands

sudo pacman-key --keyserver pgp.mit.edu -r 0940E3F9
sudo pacman-key --lsign-key 0940E3F9

to get my new signatures and sign them, and then you will be able to get those upgrades (although I think there's still something wrong with the numix-icon-theme-git signature - I will upload that again, and also maybe deal with the issue where the version went backwards).

[farseerfc]

Should be fixed by f22bc0f , let's wait for it to enter our repo server and test.

[farseerfc]

Strange that simply update the key didn't fix that.
I will try to manually retrieve the key from keyserver update keyring again.

[colinkeenan]

It only worked for me when I specified --keyserver pgp.mit.edu (and signed it with --lsign-key).

[chengyi]

@farseerfc the same to you, I update the key and it still report error.

[colinkeenan]

What does fingerprint report:

sudo pacman-key -f 0940E3F9

It should report:

pub   rsa4096 2014-11-18 [SC] [expires: 2019-11-17]
      4CFF 4259 9833 CF3A E98A  2F09 8850 CBC2 0940 E3F9
uid           [  full  ] Colin Keenan <colinnkeenan@gmail.com>
uid           [  full  ] [jpeg image of size 6283]
sub   rsa4096 2014-11-18 [E] [expires: 2019-11-17]

Since you get the error, I think instead of "expires: 2019-11-017", it will report that the key and subkey are expired, so it wasn't really updated.

I don't know why it wouldn't update though if you specified the keyserver. Maybe you have to delete all the keys and repopulate. I actually tried that before specifying the keyserver.

[farseerfc]

@colinkeenan I tried to change the key server to pgp.mit.edu and updated the key again. But the keys are not changed since archlinuxcn/archlinuxcn-keyring@024a988 this update.
Please verify the following fingerprint matches your renewed key:

pub   rsa4096 2014-11-18 [SC] [expires: 2019-11-17]
      4CFF 4259 9833 CF3A E98A  2F09 8850 CBC2 0940 E3F9
uid           [ unknown] Colin Keenan <colinnkeenan@gmail.com>
uid           [ unknown] [jpeg image of size 6283]
sub   rsa4096 2014-11-18 [E] [expires: 2019-11-17]

[colinkeenan]

Our messages crossed. Yes, I have the same fingerprint. Are you saying you have my key and it still gives the same error for installing my most recently updated packages (acroread-fonts-systemwide numix-icon-theme-git updated numix-circle-icon-theme-git youtube-dl-git supertux-git inkscape-bzr)?

[farseerfc]

Yes, I have installed archlinuxcn-keyring 20161118-1 locally and it should have the key. And still I am getting errors when trying to install numix-icon-theme-git updated numix-circle-icon-theme-git youtube-dl-git inkscape-bzr (didn't try other packages).

[colinkeenan]

If you did the same as last year: #170 (comment), I wonder why it doesn't work this time.

[Arondight]

I've installed archlinuxcn-keyring 20161118-1 but your GPG key is untrusting still. Also I run command you mentioned but not work.

pub   rsa4096 2014-11-18 [SC] [expires: 2019-11-17]
      4CFF 4259 9833 CF3A E98A  2F09 8850 CBC2 0940 E3F9
uid           [ unknown] Colin Keenan <colinnkeenan@gmail.com>
uid           [ unknown] [jpeg image of size 6283]
sub   rsa4096 2014-11-18 [E] [expires: 2019-11-17]

For me two problems packages are numix-icon-theme-git-1:0.r1890.45878a1-1-any and numix-circle-icon-theme-git-0.r14.7c167d8-1-any.

[chiaki64]

I have the same problem with @Arondight , but it works for me only when i run the command
sudo pacman-key --refresh-keys

[colinkeenan]

It is a strange problem. I have just tested the archlinuxcn-keyring, and it is up to date and working fine as far as I can tell. I tested it by deleting my key with sudo pacman-key -d 0940E3F9, verifying it was deleted with pacman-key -f 0940E3F9, and then doing a system upgrade with sudo pacman -Syu. Both archlinuxcn-keys and my package inkscape-bzr were included with that upgrade. When the keys were upgraded, it asked if it should add my key, and I did. It then installed everything without issue, and the fingerprint shows they key is good until 2019. I don't understand why this is not working for everyone.

[Arondight]

@forblackking Yes pacman-key --refresh-keys works for me.

[farseerfc]

pacman-key --refresh-keys indeed fixed the problem locally.
I am still trying to find an automatic solution without manually refresh the keys.

[farseerfc]

My suspect is that we need to wait for all keyservers under pool.sks-keyservers.net to be synced, then install/upgrade the package archlinuxcn-keyring 20161118-1 which calls pacman-key --populate archlinuxcn in its post-upgrade hook function. pacman seems to be using hkp://pool.sks-keyservers.net as keyserver according to /etc/pacman.d/gnupg/gpg.conf which we can/should not modify.

Here is my console output trying to search the key within 10mins: https://cfp.vim-cn.com/cbcJ9/txt (sorry for Chinese locale). It seems that the keyserver is synced during the 10mins timespan.

[lilydjwg]

Do pacman-key use network during the install / upgrade? I don't feel so because it's fast.
And this happens for everyone who has tried, doesn't it?

[farseerfc]

@lilydjwg pacman-key --refresh-keys certainly use network. I am not sure about pacman-key --populate and pacman-key --updatedb.
I have an old machine that didn't have this problem. It's second last update was on 2016-09-12, and its last update upgrades archlinuxcn-keyring 20160903-1 -> 20161118-1.

Some more findings on a machine that has this problem:
bash -x /usr/bin/pacman-key --updatedb tells me it runs
gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --batch --check-trustdb, which will make colin's key unknown trust.
But gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --check-trustdb without --batch will make colin's key full trust.
The evidence: https://cfp.vim-cn.com/cbcJD/txt

I am looking into why a --batch will make this difference.

[farseerfc]

Apply --yes to --batch forced the --check-updatedb to update trustdb, which apparently fixed the problem. I have copy the code from pacman-key into archlinuxcn-keyring 20161118-2's post_upgrade to properly do this.

Please reopen this issue if upgrade to archlinuxcn-keyring 20161118-2 doesn't solve this issue on your machine.

[colinkeenan]

Wow! I'm glad you found and fixed the problem so that it won't be an issue in the future. It will be 3 years before my key will need me to sign again. I must be the only one that allows my key to expire?

[farseerfc]

Did a grep on our keyring:

Packager	Expires
cuihaoleo	2020-02-01
SilverRainZ	2017-08-24
wicast	2017-03-11
KaseiWang	2021-04-06
fbq	2020-04-01

We will have to solve this eventually.

[lilydjwg]

It works for me 👍

[SilverRainZ]

@farseerfc @wicast

wicast 上传新的密钥了么？过几天就要过期了。

601-      CF3271E49632068A5DCA9316719D54FFDDD310E2
602:uid           [ 完全 ] Wicast Chen <wicastchen@hotmail.com>
603-sub   rsa4096 2016-03-11 [E] [有效至：2017-03-11]

[farseerfc]

@SilverRainZ 好久沒看到 @wicast 了……

[farseerfc]

@colinkeenan three years have passed quickly! Please renew your key once again!

[colinkeenan]

I renewed my key again soon after you posted, but I still can't install packages that I sign. When I check my fingerprint using gpg, it says it won't expire until 2024 (I set it to 5 years). But, when I check with pacman-keys, it says it expired a few days ago. I've refreshed keys and told it to get the key from various places, but it never updates the expiration date.

[farseerfc]

got your renewed key from gpg --recv-key , let me push a new archlinuxcn-keyring release and test

[farseerfc]

archlinuxcn-keyring 20191121 released, seems your key is fixed.

But, when I check with pacman-keys, it says it expired a few days ago. I've refreshed keys and told it to get the key from various places, but it never updates the expiration date.

Maybe you need to do a gpg --homedir "/etc/pacman.d/gnupg" --batch --check-trustdb --yes after refreshing the key. We are doing this in the post_upgrade() of archlinuxcn-keyring.

Anyway, thank you! I am closing this issue for now, please re-open if your key is not working.

[farseerfc]

@colinkeenan By the way, you might need to re-sign and re-upload the packages that you updated in the last 4 days. Your key with key-id 4CFF42599833CF3AE98A2F098850CBC20940E3F9 is valid until 2024-11-19, but some of your packages like hplip-plugin is signed with key-id C43456D7EC807C8A76E1EFCB33815FD3662DD76D which is nowhere to find.