Aura installation fails when Pacman SigLevel = PackageRequired #38

Open
guns opened this Issue Oct 5, 2012 · 25 comments

4 participants

@guns

Installation of a package fails when trying to install when pacman's
signature trust level is set to "PackageRequired".

Specifically, makepkg successfully creates the *.tar.xz and the
*.tar.xz.sig file, but the following error occurs (irrelevant sections
elided)

==> Tidying install...
  -> Purging unwanted files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package...
  -> Generating .PKGINFO file...
  -> Adding install file...
  -> Compressing package...
==> Signing package...

You need a passphrase to unlock the secret key for
user: "Sung Pae <self@sungpae.com>"
1024-bit DSA key, ID C8C835A2, created 2011-03-21

  -> Created signature file /var/cache/pacman/pkg/gpodder3-11488/gpodder3/gpodder3-3.3.0-2-any.pkg.tar.xz.sig.
==> Leaving fakeroot environment.
==> Finished making: gpodder3 3.3.0-2 (Thu Oct  4 21:00:18 CDT 2012)
loading packages...
error: '/var/cache/pacman/pkg/gpodder3-3.3.0-2-any.pkg.tar.xz.sig': cannot open package file

The signature file is present in /var/cache/pacman, but the actual
package is not.

Thank you for building an excellent AUR build tool.

@guns

Correction:

The above error happens when "sign" is included in BUILDENV in
makepkg.conf. This is necessary for makepkg to create a signature file.

If that is turned off, but pacman's SigLevel is still set to Required,
the error becomes:

==> Tidying install...
  -> Purging unwanted files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package...
  -> Generating .PKGINFO file...
  -> Adding install file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: gpodder3 3.3.0-2 (Thu Oct  4 21:15:59 CDT 2012)
loading packages...
error: '/var/cache/pacman/pkg/gpodder3-3.3.0-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature)

The correct package file is present this time, but the signature is
obviously missing.

@fosskers
aurapm member

Thanks! I'll look into this. Keep me updated if you find out more.

@Kwpolska Kwpolska referenced this issue in Kwpolska/pkgbuilder Oct 6, 2012
Closed

Signature files passed over to -U #18

@Kwpolska
error: '/var/cache/pacman/pkg/gpodder3-3.3.0-2-any.pkg.tar.xz.sig': cannot open package file

blame regex. I suggest doing this:

  1. Grab the files.
  2. Copy everything to /var/cache/pacman/pkg/.
  3. Drop *.sig from the list and pass it over to pacman -U.

(stolen: Kwpolska/pkgbuilder#18)

@Kwpolska
error: '/var/cache/pacman/pkg/gpodder3-3.3.0-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature)

The correct package file is present this time, but the signature is obviously missing.

Or maybe not.

[kwpolska@kwpolska-lin pkgbuilder]% makepkg -si --sign
==> Making package: pkgbuilder 2.1.5.0-2 (Sat Oct  6 11:13:38 CEST 2012)
[...]
==> Creating package...
  -> Generating .PKGINFO file...
  -> Compressing package...
==> Signing package...

You need a passphrase to unlock the secret key for
user: "Kwpolska <kwpolska@gmail.com>"
2048-bit RSA key, ID 5EAAEA16, created 2011-01-22

  -> Created signature file /tmp/pkgbuilder-1000/pkgbuilder/pkgbuilder-2.1.5.0-2-any.pkg.tar.xz.sig.
==> Leaving fakeroot environment.
==> Finished making: pkgbuilder 2.1.5.0-2 (Sat Oct  6 11:13:40 CEST 2012)
==> Installing package pkgbuilder with pacman -U...
loading packages...
error: '/tmp/pkgbuilder-1000/pkgbuilder/pkgbuilder-2.1.5.0-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
==> WARNING: Failed to install built package(s).
[kwpolska@kwpolska-lin pkgbuilder]% ls
pkg/  PKGBUILD  pkgbuilder-2.1.5.0-2-any.pkg.tar.xz  pkgbuilder-2.1.5.0-2-any.pkg.tar.xz.sig  pkgbuilder-2.1.5.0.tar.gz  src/

Pacman problem. Someone may want to report a bug.


update 2012-10-06T09:32:00Z:

aura >>= What version of `pkgbuilder` do you want?
1. pkgbuilder-2.1.4.7-1-any.pkg.tar.xz
2. pkgbuilder-2.1.4.8-1-any.pkg.tar.xz
3. pkgbuilder-2.1.4.9-1-any.pkg.tar.xz
4. pkgbuilder-2.1.5.0-2-any.pkg.tar.xz
5. pkgbuilder-2.1.5.0-2-any.pkg.tar.xz.sig
>> 

I should not see the fifth choice.

PS. #12 is not done since a month and it’s very easy to do. Mind taking a moment and fixing that?

@fosskers
aurapm member

When building with that signature option, do both a .pkg.tar.xz and a .pkg.tar.xz.sig get created?

@Kwpolska
  -> Created signature file /tmp/pkgbuilder-1000/pkgbuilder/pkgbuilder-2.1.5.0-2-any.pkg.tar.xz.sig.
@fosskers
aurapm member

Alright, I think I know what's happening here. The copy mechanism is only copying one of the two files. Seems like it's grabbing the .sig and not the actual package file. I suppose I'll add a check to copy them both over.

@guns
@fosskers
aurapm member

Thanks. I believe that after aura calls makepkg, its not copying both of the required files over to the package cache.

@Kwpolska

Apparently, it does not matter, because pacman has problems even with signed packages with makepkg -si… (see one of my comments above)

@fosskers
aurapm member

You changed pkgbuilder to copy them both over, yeah?

@Kwpolska
@fosskers
aurapm member

Is this still an issue?

@guns

Yes, I'm afraid it still is. I set SigLevel to PackageRequired, included
"sign" in the makepkg.conf BUILDENV array, upgraded aura from git
master, and tried to install a package:

==> Tidying install...
  -> Purging unwanted files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package...
  -> Generating .PKGINFO file...
  -> Compressing package...
==> Signing package...
==> WARNING: Failed to sign package file.
==> Leaving fakeroot environment.
==> Finished making: par 1.52-3 (Thu Nov 29 18:15:18 CST 2012)
loading packages...
error: '/var/cache/pacman/pkg/par-1.52-3-x86_64.pkg.tar.xz': invalid or corrupted package (PGP signature)

Notice that makepkg did not successfully create a signature file. When I
run makepkg on my own PKGBUILDs, it sucessfully creates signature files
using my private key.

@fosskers
aurapm member

Thanks for getting back to me.

Are you using a global makepkg.conf or a local one? If I'm supposed to passing certain flags to makepkg, I know that's not happening at the moment.

@guns

I am using /etc/makepkg.conf, as installed by pacman 4.0.3-5, with the
only difference being that the "ccache" and "sign" flags in BUILDENV
have been set (default being unset).

@fosskers
aurapm member

Ah, I remember now. I still hadn't made the changes to copy over the created signature file. Wonder why it's failing to create the signature file?

@Bubu

I also have the same problem, makepkg is set up to sign the packages and when I call it manually it does so.
This is really strange, makepkg knows it has to sign the package but fails to do it without an error.

==> Entering fakeroot environment...
==> Starting package()...
==> Tidying install...
  -> Purging unwanted files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package...
  -> Generating .PKGINFO file...
  -> Compressing package...
==> Signing package...
==> WARNING: Failed to sign package file.
==> Leaving fakeroot environment.
==> Finished making: pacman-color 4.0.3-4 (Fri Jan 18 04:00:20 UTC 2013)
loading packages...
error: '/var/cache/pacman/pkg/pacman-color-4.0.3-4-x86_64.pkg.tar.xz': invalid or corrupted package (PGP signature)
Raw shell command call failed.

Here is an output of just running makepkg:

==> Signing package...

You need a passphrase to unlock the secret key for
user: "XXXXXXXXXXXXXXXXXXXXXX"
2048-bit RSA key, ID XXXXXXXXX, created 2013-01-10

  -> Created signature file XXXXXXXX/packages/iodine-0.6.0_rc1-1-x86_64.pkg.tar.xz.sig.
@Kwpolska
@Bubu

Well, that immediately tells me that it can't find the key for signing the package, without attempting to do anything.

$ sudo makepkg -f --asroot
==> ERROR: The key XXXXXXXX does not exist in your keyring.

So... um that might be a problem, but still not the same behavior as aura which does build the package.

Edit: I've copied the gpg stuff to /root/ and now I get this:

$ sudo makepkg -f --asroot
<...>
==> Signing package...

You need a passphrase to unlock the secret key for
user: "XXXXXXXX XXXXXXXX "
2048-bit RSA key, ID XXXXXXXX , created 2013-01-10

==> WARNING: Failed to sign package file.

Which is actually expected, because somehow the gpg pinentry-curses has problems running as root. But with aura it doesn't even show the message that there is a key to unlock (see post above). Nothing changed after copying the keys to root.

Edit2: Ok, another test here:
After becoming root and doing a chown root /dev/pts/0 I can do makepkg --asroot and package signing works, I get asked for my passphrase.
Running aura from the same shell still fails without even recognizing there is a key to unlock.

Edit3:
Just read this in the readme: "Even when run with sudo, packages are built with normal user privilages, then handed to pacman and installed as root."
So root not finding my keys is probably not the problem but the user aura drops the privileges to?

@fosskers
aurapm member

Hey @Bubu thanks for reporting this. If you are logged in as root, aura does everything as root. If you're you running it with sudo, then yes, makepkg gets ran as you underneath. More specifically, this is called (assuming your username is bubu):

su bubu -c makepkg

This is likely the source of the problem, but I'm not exactly sure why it's causing your build failures.

@Kwpolska

The problem is: no shell. Fix: no idea whatsoever. Someone more proficient in (a) bash; (b) su and credentials magic; (c) gpg should be asked for the solution.

# su kwpolska
$ makepkg --sign
  -> Created signature file /tmp/pkgbuilder-1000/pkgbuilder/pkgbuilder-2.1.5.14-1-any.pkg.tar.xz.sig.
$ exit
# su kwpolska -c 'makepkg --sign'
==> WARNING: Failed to sign package file.
@fosskers
aurapm member

Well that sucks. I'll dig around some man pages and see what I can find.

@Bubu

i tested using gpg directly with su -c and it shows the following error:
gpg: cannot open /dev/tty': No such device or address It works when using gpg --batch but I don't know how to get makepgk to use this command.

@fosskers
aurapm member

@Bubu Thanks for the update.

@fosskers fosskers added the Aura2 label May 22, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment