Misleading error message "GPG verification enabled, but no signatures found"

[aleixpol]

I'm unable to install our runtimes because I get the following error GPG verification enabled, but no signatures found.
The repository in question is the following: http://distribute.kde.org/flatpak-testing/
Which does offer a signature file: http://distribute.kde.org/flatpak-testing/summary.sig

The repository was set up as described in the wiki: https://community.kde.org/Flatpak

[alexlarsson]

Ah, you need the gpg key in binary format.
I tried:

$ gpg --dearmor kdeflatpak.asc
$ flatpak remote-add kde http://distribute.kde.org/flatpak-testing/ --gpg-import=kdeflatpak.asc.gpg

However, this gives me:
error: While pulling runtime/org.kde.Platform/x86_64/master from remote kde: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

Which means you need to run this on the repo:

$ flatpak build-update-repo --gpg-homedir=... --gpg-sign=... the-repo-dir

I would also recommend passing in --generate-static-deltas to build-update-repo as it will generate single-file deltas for updates and from-scratch installs, which performs better than many http requests.

[alexlarsson]

Sorry about not responding earlier btw, was away a bit.

[aleixpol]

BTW, using the asc file worked just as well, this didn't make a difference.

I am running:
flatpak build-update-repo --gpg-sign="KDE Flatpak" --title="KDE Frameworks Flatpak Test" repo/

I would also recommend passing in --generate-static-deltas to build-update-repo as it will generate single-file deltas for updates and from-scratch installs, which performs better than many http requests.

I'll do that when things start working

[alexlarsson]

@aleixpol Hmm, i dunno if --gpg-sign="KDE Flatpak" works. I tend to give the hex key id.

Do you get a summary.sig file in the repo when you do that?

[aleixpol]

Yes, and actually I've done it with both and I get the same behaviour.

[alexlarsson]

Ah, yeah, sorry, I misread the above error it seems. The gpg signature for the summary does indeed exists, its the one for the commit that it complains about. Lemme look at that.

[alexlarsson]

Quick debugging:

The ref for the platform is runtime/org.kde.Platform/x86_64/master which we can see at http://distribute.kde.org/flatpak-testing/refs/heads/runtime/org.kde.Platform/x86_64/master points to
34407d5f5f48cdb3a1284fe8f78c637f45b44e058ad89393bf4b6c832613cf23.

That commit exists in the repo as:

http://distribute.kde.org/flatpak-testing/objects/34/407d5f5f48cdb3a1284fe8f78c637f45b44e058ad89393bf4b6c832613cf23.commit

However, the signature for the commit should be a "*.commitmeta" with the same basename next to it, so for some reason the commit is not signed.

Did you specify --gpg-sign=KEY-ID to flatpak-builde when you built the app?
Alternatively you can use flatpak build-sign to sign it after its been built.

[aleixpol]

That's possibly what's missing (although maybe build-update-repo should pick up on that?).

Anyway, I'm getting a segfault when calling build-sign:

$ flatpak build-sign repo org.kde.Sdk --gpg-sign=61C45BED
Segmentation fault (core dumped)

🔥

[aleixpol]

BTW, these are the scripts we're using: https://quickgit.kde.org/?p=flatpak-kde-runtime.git&a=blob&h=72fb2c7d760f9de3173134cd58822128766cc395&hb=a9d1b67f71b6a1936a1628bbfb7a98c99c6b4427&f=Makefile

I'm thinking that we should include build-sign within export.

[alexlarsson]

If --gpg-sign= is part of ${EXPORT_ARGS}, then that should be fine, as it will be passed to flatpak-builder.
However, maybe that was not set at the time you built the app? If so you can rebuild it again but without the --require-changes argument as that will notice that there are no changes and it will not do anything at all.

That said, its weird that build-sign is crashing, maybe its regressed at some point.

[alexlarsson]

Yeah, it crashes here too, we should fix that.
However, this should work:

flatpak build-sign repo org.kde.Sdk --runtime --gpg-sign=61C45BED

[aleixpol]

Rebuilding everything without --require-changes and with the --gpg-sign did the trick.

[alexlarsson]

So, as a user, now that you have figured this out, is there anything flatpak could do that would have helped you here?

[aleixpol]

In retrospect, I'd say that it would be great if flatpak build-update-repo would do that or at least warn if it's leaving a non-signed repository.

Also what I ended up doing was passing the gpg args to flatpak-builder, so having a warning saying "Creating a non-signed repository, please remember to sign it before publishing" would be good.

In general, for me, the frustrating bit with flatpak is that everything works until in the very end when it fails, then tracing the issue back is very hard for me (due to inexperience on the technology, for sure).

[directhex]

Seeing as I'm running into almost identical issues here:

$ flatpak install monodevelop com.xamarin.MonoDevelop master
Updating: org.freedesktop.Platform/x86_64/1.4 from gnome
No updates.
Updating: org.freedesktop.Platform.Locale/x86_64/1.4 from gnome
No updates.
Installing: com.xamarin.MonoDevelop/x86_64/master from monodevelop

1 metadata, 0 content objects fetched; 313 B transferred in 0 seconds                                                                                                                                                     
error: GDBus.Error:org.freedesktop.DBus.Error.Failed: Error pulling from repo: While pulling app/com.xamarin.MonoDevelop/x86_64/master from remote monodevelop: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)

Let's just say I agree with @aleixpol that there are some gaps in the documentation process when it comes to repo management & signing.