Skipping pgp verification in pamac (cli)

Leo · 26 July 2022 17:18

Is there any flag or method to skip PGP verification in pamac (cli preferrably) for AUR packages? I am trying to install stellarium (no comparable package in manjaro repos) and it fails due to PGP signature not verified even after successfully importing the key. I have to use makepkg as mentioned in pinned comment on the page along with the --skippgpcheck flag to install it. A similar flag for pamac would be very convenient

zbe · 26 July 2022 17:36

How did you import it? Because I just tested it with yay and it works fine.

Leo · 26 July 2022 20:07

I tired both gpg -v --keyserver keys.openpgp.org --recv-keys BF38D4D02A328DFF and gpg -v --keyserver keys.openpgp.org --recv-keys 9380E47C0374E169. In both cases, the output was:

gpg: data source: http://keys.openpgp.org:11371
gpg: pub  rsa4096/BF38D4D02A328DFF 2012-04-07  
gpg: key BF38D4D02A328DFF: no user ID
gpg: Total number processed: 1

zbe · 26 July 2022 20:12

Huh? Neither of those are listed as pgp keys in PKGBUILD.

Yochanan · 26 July 2022 22:09

Please post the full output from:

pamac build stellarium

It’s recommended to add the default keyserver that gnupg uses to your ~/.gnupg/gpg.conf:

keyserver hkps://keyserver.ubuntu.com
keyserver-options timeout=10
with-fingerprint

Using yay is another option as mentioned:

sudo pacman -Syu --needed base-devel git yay

yay -S stellarium

PKGBUILDs contain the fingerprint, not the SHA1 hash.

See: Search results for '0xBF38D4D02A328DFF'

Leo · 26 July 2022 22:19

The first one is mentioned in the stellarium AUR page, in the pinned comment. the second one is what was displayed in pamac when it showed the error

Leo · 26 July 2022 22:19

I am away but will post as soon as possible

Yochanan · 26 July 2022 22:28

I just realized I submitted my reply too soon with incorrect information. I’ve just edited it.

zbe · 27 July 2022 04:08

Ugh, right. I plan to understand cryptography in the next 10 years, I swear.

Leo · 27 July 2022 21:24

Here is my result with pamac update:

Preparing...
Synchronizing package databases...
Nothing to do.
Transaction successfully finished.

Well, I don’t mind with makepkg or yay, but would preferably not have another AUR helper. Even with yay, I ll probably have to add --nopgpfetch flag as mentioned in pinned comment on AUR page.

Should I create a pamac issue to allow an option to skip pgp verification?

Yochanan · 27 July 2022 22:24

Apparently you didn’t see the edit to my post above. Refresh the page, you may be looking at an old cached version.

No. We’re here to solve the issue, not avoid it.

Leo · 29 July 2022 16:32

I tried with couple of key servers including the one you mentioned. Seem to make no difference when rebuilding the package