Failing to verify PGP signature from an AUR package for PCIe ACS (PCI passthrough via OVMF)

Hi, well I was going to get help beforehand but found out old forum has unfortunately died.

Simply trying to passthrough a graphic card, unfortunately within one IOMMU group are both of my graphic cards, the problem lies in getting one of them into a separate IOMMU group. Did some research and I have to bypass the IOMMU groups via ACS override patch. My specific problem is that the AUR package linked here can’t verify a PGP signature. If no one knows how I could bypass or find another way to do it please let me know.

Pastebin of log of AUR installation Preparing...Cloning linux-vfio build files...Checking linux-vfio dependencie - Pastebin.com

Thanks for reading.

Did you read the pinned comment on the AUR page?

Yes, unless I missed something specific I’ve already done the command
‘$ sudo gpg --keyserver pool.sks-keyservers.net --recv-keys 3B94A80E50A477C7’

And the output:

gpg: key 19802F8B0D70FC30: 6 duplicate signatures removed
gpg: key 19802F8B0D70FC30: 6 signatures reordered
gpg: key 19802F8B0D70FC30: “Jan Alexander Steffens (heftig) jan.steffens@gmail.com” not changed
gpg: Total number processed: 1
gpg: unchanged: 1

Sorry if I am acting as a noob, I am one. All a learning curve and am doing research before asking. I just don’t quite understand why it’s failing to verify the signature.

Thanks.

There are two other PGP keys besides heftig’s in the PKGBUILD, you may need to import those as well.

what about

pacman-key refresh-keys

Also … just because its plastered all over that AUR package page … are you using makepkg or a helper ?

I think you mean:

gpg --refresh-keys

The Arch / Manjaro keyrings are separate from one’s personal GPG keyring.

1 Like

The question is … where are my keys? I swear I left them right here …

Tried doing that, does it’s job until it then continuously spams “key 79BE3E4300411886: no user ID for key signature packet of class 10” I did pacman-key --refresh-keys

Also I see there are two other keys you pointed out, but how would I go about getting those ones? What I mean is heftig’s key is 3B94A80E50A477C7 which is ‘A2FF3A36AAA56654109064AB19802F8B0D70FC30’ but the longer PGP key well, doesn’t work? I’m sorry I’m new as I said and am trying to understand and learn (and I am learning! :slight_smile: )

It’s just one thing after another haha.

Edit: It stopped spamming the line.

You can look up the fingerprints. Example with Linus Torvalds’:

❯ gpg --search-keys --fingerprint ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg: data source: http://[2001:4c80:40:628:5c70:d1ff:fe44:1424]:11371
(1)	Linus Torvalds <torvalds@kernel.org>
	Linus Torvalds <torvalds@linux-foundation.org>
	  2048 bit RSA key 79BE3E4300411886, created: 2011-09-20
Keys 1-1 of 1 for "ABAF11C65A2970B130ABE3C479BE3E4300411886".

Now import the 2048 bit RSA key.

Sorry but after doing that command all I get is

$ gpg --search-keys --fingerprint ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg: error searching keyserver: General error
gpg: keyserver search failed: General error

when @cscs suggested to do pacman-key --refresh-keys that worked fine, but gpg --refresh-keys did not do anything.

Also @cscs I’m using the AUR helper, the GUI where you just select to build and apply it. Should I be using makepkg on the terminal?

Its just mentioned a bunch on the page.
But I would suspect (not assume for sure) that the key problem is probably affective regardless.

Do you have a ~/.gnupg/gpg.conf? If so, what are the contents?

If not, create it and add this to it:

keyserver hkp://pool.sks-keyservers.net

You might need to kill these guys off for it to take effect:

killall gpg-agent dirmngr

Then try refreshing keys again.

You can also try a different keyserver. I added that info here:

I apparently do not, tried opening with nano and no such file exists. Adding the ~ creates a new file… shall I just add in

and save the file?

Nano will open the file if it exists, otherwise it will create it. No squiggles needed. :wink:

Yes.

Post must be at least 20 characters. I cheated.

$ sudo gpg --refresh-keys
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: General error

FYI without sudo it does nothing.

If I don’t do the squiggle it just displays

[ Directory ‘/.gnupg’ does not exist ]

and it’s still doing it. Man I’m not getting anywhere, sorry for wasting your time if I am.

It should have. Don’t use sudo. You should get output like this:

❯ gpg --refresh-keys
gpg: refreshing 35 keys from hkp://pool.sks-keyservers.net
gpg: key 41DC4849F55313FB: 4 duplicate signatures removed
gpg: key 41DC4849F55313FB: 4 signatures reordered
# ... etc., etc....

Did you try everything I suggested in my post above?

Yes when I do 'sudo pacman-keys --refresh-keys it does work…

gpg: refreshing 140 keys from hkp://pool.sks-keyservers.net

Again, it then spams this after it’s done the other keys

gpg: key 79BE3E4300411886: no user ID for key signature packet of class 10

and then it finishes after a few minutes.

and yeah… all of this just to move a damn graphic card out of an IOMMU group… it really is a headache haha

Edit: don’t have space for the lowest PCIe slot for my other graphic card as the USB3 socket is pretty much in the way. I don’t even know if that would move it out of the IOMMU group it’s currently residing in but yeah, sorry just ranting.

2nd edit: it finished with:

gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 25 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 25 signed: 79 trust: 2-, 0q, 0n, 23m, 0f, 0u
gpg: depth: 2 valid: 74 signed: 24 trust: 74-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2021-01-01

I somehow managed to fix everything and have managed to acquire the AUR package. It simply asked me to import the gpg keys for some reason, possibly because I ran this command

sudo pacman-key -r 647F28654894E3BD457199BE38DBBDC86092693E

applies with the other keys I presume, and of course refreshing the keys probably helped… but yeah all is well. I’ll see if I can trace down my solution. Thank you so much for helping @Yochanan, it was extremely appreciated and I learnt a lot. Now I shall continue on my venture to hopefully get everything sorted out.