Misleading error message "GPG verification enabled, but no signatures found" #388

Open
aleixpol opened this Issue Nov 2, 2016 · 15 comments

Projects

None yet

3 participants

@aleixpol
aleixpol commented Nov 2, 2016

I'm unable to install our runtimes because I get the following error GPG verification enabled, but no signatures found.
The repository in question is the following: http://distribute.kde.org/flatpak-testing/
Which does offer a signature file: http://distribute.kde.org/flatpak-testing/summary.sig

The repository was set up as described in the wiki: https://community.kde.org/Flatpak

@alexlarsson
Member

Ah, you need the gpg key in binary format.
I tried:

$ gpg --dearmor kdeflatpak.asc
$ flatpak remote-add kde http://distribute.kde.org/flatpak-testing/ --gpg-import=kdeflatpak.asc.gpg

However, this gives me:
error: While pulling runtime/org.kde.Platform/x86_64/master from remote kde: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

Which means you need to run this on the repo:

$ flatpak build-update-repo --gpg-homedir=... --gpg-sign=... the-repo-dir

I would also recommend passing in --generate-static-deltas to build-update-repo as it will generate single-file deltas for updates and from-scratch installs, which performs better than many http requests.

@alexlarsson
Member

Sorry about not responding earlier btw, was away a bit.

@aleixpol
aleixpol commented Nov 9, 2016 edited

BTW, using the asc file worked just as well, this didn't make a difference.

I am running:
flatpak build-update-repo --gpg-sign="KDE Flatpak" --title="KDE Frameworks Flatpak Test" repo/

I would also recommend passing in --generate-static-deltas to build-update-repo as it will generate single-file deltas for updates and from-scratch installs, which performs better than many http requests.

I'll do that when things start working

@alexlarsson
Member

@aleixpol Hmm, i dunno if --gpg-sign="KDE Flatpak" works. I tend to give the hex key id.

Do you get a summary.sig file in the repo when you do that?

@aleixpol

Yes, and actually I've done it with both and I get the same behaviour.

@alexlarsson
Member

Ah, yeah, sorry, I misread the above error it seems. The gpg signature for the summary does indeed exists, its the one for the commit that it complains about. Lemme look at that.

@alexlarsson
Member

Quick debugging:

The ref for the platform is runtime/org.kde.Platform/x86_64/master which we can see at http://distribute.kde.org/flatpak-testing/refs/heads/runtime/org.kde.Platform/x86_64/master points to
34407d5f5f48cdb3a1284fe8f78c637f45b44e058ad89393bf4b6c832613cf23.

That commit exists in the repo as:

http://distribute.kde.org/flatpak-testing/objects/34/407d5f5f48cdb3a1284fe8f78c637f45b44e058ad89393bf4b6c832613cf23.commit

However, the signature for the commit should be a "*.commitmeta" with the same basename next to it, so for some reason the commit is not signed.

Did you specify --gpg-sign=KEY-ID to flatpak-builde when you built the app?
Alternatively you can use flatpak build-sign to sign it after its been built.

@aleixpol

That's possibly what's missing (although maybe build-update-repo should pick up on that?).

Anyway, I'm getting a segfault when calling build-sign:

$ flatpak build-sign repo org.kde.Sdk --gpg-sign=61C45BED
Segmentation fault (core dumped)

🔥

@alexlarsson
Member

If --gpg-sign= is part of ${EXPORT_ARGS}, then that should be fine, as it will be passed to flatpak-builder.
However, maybe that was not set at the time you built the app? If so you can rebuild it again but without the --require-changes argument as that will notice that there are no changes and it will not do anything at all.

That said, its weird that build-sign is crashing, maybe its regressed at some point.

@alexlarsson
Member

Yeah, it crashes here too, we should fix that.
However, this should work:

flatpak build-sign repo org.kde.Sdk --runtime --gpg-sign=61C45BED
@aleixpol

Rebuilding everything without --require-changes and with the --gpg-sign did the trick.

@alexlarsson alexlarsson added a commit that referenced this issue Nov 11, 2016
@alexlarsson alexlarsson build-sign: Don't crash if ref not found
As reported in #388
9664575
@alexlarsson
Member

So, as a user, now that you have figured this out, is there anything flatpak could do that would have helped you here?

@aleixpol

In retrospect, I'd say that it would be great if flatpak build-update-repo would do that or at least warn if it's leaving a non-signed repository.

Also what I ended up doing was passing the gpg args to flatpak-builder, so having a warning saying "Creating a non-signed repository, please remember to sign it before publishing" would be good.

In general, for me, the frustrating bit with flatpak is that everything works until in the very end when it fails, then tracing the issue back is very hard for me (due to inexperience on the technology, for sure).

@directhex

Seeing as I'm running into almost identical issues here:

$ flatpak install monodevelop com.xamarin.MonoDevelop master
Updating: org.freedesktop.Platform/x86_64/1.4 from gnome
No updates.
Updating: org.freedesktop.Platform.Locale/x86_64/1.4 from gnome
No updates.
Installing: com.xamarin.MonoDevelop/x86_64/master from monodevelop

1 metadata, 0 content objects fetched; 313 B transferred in 0 seconds                                                                                                                                                     
error: GDBus.Error:org.freedesktop.DBus.Error.Failed: Error pulling from repo: While pulling app/com.xamarin.MonoDevelop/x86_64/master from remote monodevelop: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

Let's just say I agree with @aleixpol that there are some gaps in the documentation process when it comes to repo management & signing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment