I can’t upgrade tuba (mastodon client) due an error importing a gpg key. This is the error reported trying pamac update:
pamac install tuba
Warning: tuba is only available from AUR
Preparing...
Cloning tuba build files...
Generating tuba information...
Checking tuba dependencies...
Resolving dependencies...
Checking inter-conflicts...
To build (1):
tuba 0.4.1-0.1 (0.4.0-0.1) AUR
Edit build files : [e]
Apply transaction ? [e/y/N] y
==== AUTHENTICATING FOR org.manjaro.pamac.commit ====
Authentication is required to install, update, or remove packages
Multiple identities can be used for authentication:
1. Leandro (leandro)
2. Leandro (leandro)
Choose identity to authenticate as (1-2): 1
Password:
==== AUTHENTICATION COMPLETE ====
Building tuba...
==> Making package: tuba 0.4.1-0.1 (mer 9 ago 2023, 10:37:47)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Updating Tuba git repo...
==> Validating source files with sha256sums...
Tuba ... Skipped
==> Verifying source file signatures with gpg...
Tuba git repo ... FAILED (unknown public key 4AEE18F83AFDEB23)
==> ERROR: One or more PGP signatures could not be verified!
Error: Failed to build tuba
Manjaro stable regularly updated on amd64.
As you can read in the output, tuba
is an AUR package, and therefore Manjaro cannot be held responsible for the integrity of the uploader’s signature. However, if you explicitly trust the uploader, you can import their key.
gpg --import 4AEE18F83AFDEB23
Use at your own risk!
Teo
9 August 2023 09:11
3
That seems to be a default github key (github signs for the developer) . Which means if you import it you will automatically trust maaaany developers.
Using GPG, SSH, or S/MIME, you can sign tags and commits locally. These tags or commits are marked as verified on GitHub so other people can be confident that the changes come from a trusted source.
1 Like
Please read the pinned comment on the tuba
AUR page:
GPG Error
Import the gpg-key with:
curl -sS https://github.com/GeopJr.gpg | gpg --import -
curl -sS https://github.com/web-flow.gpg | gpg --import -
See also the pinned tutorial here in the AUR section:
Summary
If you get
llvm-5.0.1.src.tar.xz … FAILED (unknown public key 8F0871F202119294)
then
gpg --recv-key 8F0871F202119294
and try again. Enter the key ID as appropriate.
Detail
Many AUR packages contain lines to enable validating downloaded packages though the use of a PGP key. This establishes a level of trust between the software author and anyone who downloads the software - if you trust the key, and the download validates against the key, then you can trust the download.
Pacman ha…
1 Like
system
Closed
12 August 2023 05:48
6
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.