Is there any flag or method to skip PGP verification in pamac (cli preferrably) for AUR packages? I am trying to install stellarium (no comparable package in manjaro repos) and it fails due to PGP signature not verified even after successfully importing the key. I have to use makepkg
as mentioned in pinned comment on the page along with the --skippgpcheck
flag to install it. A similar flag for pamac would be very convenient
How did you import it? Because I just tested it with yay
and it works fine.
I tired both gpg -v --keyserver keys.openpgp.org --recv-keys BF38D4D02A328DFF
and gpg -v --keyserver keys.openpgp.org --recv-keys 9380E47C0374E169
. In both cases, the output was:
gpg: data source: http://keys.openpgp.org:11371
gpg: pub rsa4096/BF38D4D02A328DFF 2012-04-07
gpg: key BF38D4D02A328DFF: no user ID
gpg: Total number processed: 1
Huh? Neither of those are listed as pgp keys in PKGBUILD.
Please post the full output from:
pamac build stellarium
It’s recommended to add the default keyserver that gnupg
uses to your ~/.gnupg/gpg.conf
:
keyserver hkps://keyserver.ubuntu.com
keyserver-options timeout=10
with-fingerprint
Using yay
is another option as mentioned:
sudo pacman -Syu --needed base-devel git yay
yay -S stellarium
PKGBUILDs contain the fingerprint, not the SHA1 hash.
The first one is mentioned in the stellarium AUR page, in the pinned comment. the second one is what was displayed in pamac when it showed the error
I am away but will post as soon as possible
I just realized I submitted my reply too soon with incorrect information. I’ve just edited it.
Ugh, right. I plan to understand cryptography in the next 10 years, I swear.
Here is my result with pamac update:
Preparing...
Synchronizing package databases...
Nothing to do.
Transaction successfully finished.
Well, I don’t mind with makepkg or yay, but would preferably not have another AUR helper. Even with yay, I ll probably have to add --nopgpfetch
flag as mentioned in pinned comment on AUR page.
Should I create a pamac issue to allow an option to skip pgp verification?
Apparently you didn’t see the edit to my post above. Refresh the page, you may be looking at an old cached version.
No. We’re here to solve the issue, not avoid it.
I tried with couple of key servers including the one you mentioned. Seem to make no difference when rebuilding the package