ERROR: One or more PGP signatures could not be verified, arch linux

I recently switched to an arch based distro call Manjaro.

I have problems installing some packages from the aur arch repository

    curl-7.54.0.tar.gz ... Passed

    curl-7.54.0.tar.gz.asc ... Skipped

==> Verifying source file signatures with gpg...

    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)

==> ERROR: One or more PGP signatures could not be verified!

What do I need to do to fix this?

asked May 19 '17 at 9:42

nelaaro

5,846216093

add a comment |

I recently switched to an arch based distro call Manjaro.

I have problems installing some packages from the aur arch repository

    curl-7.54.0.tar.gz ... Passed

    curl-7.54.0.tar.gz.asc ... Skipped

==> Verifying source file signatures with gpg...

    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)

==> ERROR: One or more PGP signatures could not be verified!

What do I need to do to fix this?

asked May 19 '17 at 9:42

nelaaro

5,846216093

add a comment |

I recently switched to an arch based distro call Manjaro.

I have problems installing some packages from the aur arch repository

    curl-7.54.0.tar.gz ... Passed

    curl-7.54.0.tar.gz.asc ... Skipped

==> Verifying source file signatures with gpg...

    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)

==> ERROR: One or more PGP signatures could not be verified!

What do I need to do to fix this?

asked May 19 '17 at 9:42

nelaaro

5,846216093

I recently switched to an arch based distro call Manjaro.

I have problems installing some packages from the aur arch repository

    curl-7.54.0.tar.gz ... Passed

    curl-7.54.0.tar.gz.asc ... Skipped

==> Verifying source file signatures with gpg...

    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)

==> ERROR: One or more PGP signatures could not be verified!

What do I need to do to fix this?

linux arch-linux pgp pacman

asked May 19 '17 at 9:42

nelaaro

5,846216093

asked May 19 '17 at 9:42

nelaaro

5,846216093

asked May 19 '17 at 9:42

nelaaro

5,846216093

asked May 19 '17 at 9:42

nelaaro

5,846216093

asked May 19 '17 at 9:42

nelaaro

5,846216093

add a comment |

1 Answer
1

active

oldest

votes

Once you have local gpg key pair, you can import the unknown key to your local users set of keys.
In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2

gpg: keybox '/home/user/.gnupg/pubring.kbx' created

gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys

gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created

gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <daniel@haxx.se>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key

gpg --full-gen-key

What the docs say.

   --generate-key

   --gen-key

          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the

          ‘openpgp-revocs.d’ directory below the GnuPG home directory.



   --full-generate-key

   --full-gen-key

          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.



          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.

edited Feb 12 at 11:21

answered May 19 '17 at 9:42

nelaaro

5,846216093

Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...?

– jcora
Feb 14 '18 at 11:44

3

@jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk.

– nelaaro
Feb 14 '18 at 13:16

well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something?

– jcora
Feb 15 '18 at 15:07

I am using the Manjor distro, which was probably out of date, and causing issues for me.

– nelaaro
Feb 15 '18 at 19:09

1

@EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. --full-gen-key ensures that all files are created for you to be able to import keys to your local key ring.

– nelaaro
Aug 13 '18 at 10:01

|
show 3 more comments

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1210758%2ferror-one-or-more-pgp-signatures-could-not-be-verified-arch-linux%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

Once you have local gpg key pair, you can import the unknown key to your local users set of keys.
In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2

gpg: keybox '/home/user/.gnupg/pubring.kbx' created

gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys

gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created

gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <daniel@haxx.se>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key

gpg --full-gen-key

What the docs say.

   --generate-key

   --gen-key

          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the

          ‘openpgp-revocs.d’ directory below the GnuPG home directory.



   --full-generate-key

   --full-gen-key

          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.



          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.

edited Feb 12 at 11:21

answered May 19 '17 at 9:42

nelaaro

5,846216093

Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...?

– jcora
Feb 14 '18 at 11:44

3

@jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk.

– nelaaro
Feb 14 '18 at 13:16

well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something?

– jcora
Feb 15 '18 at 15:07

I am using the Manjor distro, which was probably out of date, and causing issues for me.

– nelaaro
Feb 15 '18 at 19:09

1

@EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. --full-gen-key ensures that all files are created for you to be able to import keys to your local key ring.

– nelaaro
Aug 13 '18 at 10:01

|
show 3 more comments

Once you have local gpg key pair, you can import the unknown key to your local users set of keys.
In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2

gpg: keybox '/home/user/.gnupg/pubring.kbx' created

gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys

gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created

gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <daniel@haxx.se>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key

gpg --full-gen-key

What the docs say.

   --generate-key

   --gen-key

          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the

          ‘openpgp-revocs.d’ directory below the GnuPG home directory.



   --full-generate-key

   --full-gen-key

          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.



          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.

edited Feb 12 at 11:21

answered May 19 '17 at 9:42

nelaaro

5,846216093

Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...?

– jcora
Feb 14 '18 at 11:44

3

@jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk.

– nelaaro
Feb 14 '18 at 13:16

well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something?

– jcora
Feb 15 '18 at 15:07

I am using the Manjor distro, which was probably out of date, and causing issues for me.

– nelaaro
Feb 15 '18 at 19:09

1

@EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. --full-gen-key ensures that all files are created for you to be able to import keys to your local key ring.

– nelaaro
Aug 13 '18 at 10:01

|
show 3 more comments

Once you have local gpg key pair, you can import the unknown key to your local users set of keys.
In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2

gpg: keybox '/home/user/.gnupg/pubring.kbx' created

gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys

gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created

gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <daniel@haxx.se>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key

gpg --full-gen-key

What the docs say.

   --generate-key

   --gen-key

          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the

          ‘openpgp-revocs.d’ directory below the GnuPG home directory.



   --full-generate-key

   --full-gen-key

          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.



          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.

edited Feb 12 at 11:21

answered May 19 '17 at 9:42

nelaaro

5,846216093

Once you have local gpg key pair, you can import the unknown key to your local users set of keys.
In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2

gpg: keybox '/home/user/.gnupg/pubring.kbx' created

gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys

gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created

gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <daniel@haxx.se>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key

gpg --full-gen-key

What the docs say.

   --generate-key

   --gen-key

          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the

          ‘openpgp-revocs.d’ directory below the GnuPG home directory.



   --full-generate-key

   --full-gen-key

          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.



          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.

edited Feb 12 at 11:21

answered May 19 '17 at 9:42

nelaaro

5,846216093

edited Feb 12 at 11:21

answered May 19 '17 at 9:42

nelaaro

5,846216093

answered May 19 '17 at 9:42

nelaaro

5,846216093

answered May 19 '17 at 9:42

nelaaro

5,846216093

Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...?

– jcora
Feb 14 '18 at 11:44

3

@jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk.

– nelaaro
Feb 14 '18 at 13:16

well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something?

– jcora
Feb 15 '18 at 15:07

I am using the Manjor distro, which was probably out of date, and causing issues for me.

– nelaaro
Feb 15 '18 at 19:09

1

@EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. --full-gen-key ensures that all files are created for you to be able to import keys to your local key ring.

– nelaaro
Aug 13 '18 at 10:01

|
show 3 more comments

Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...?

– jcora
Feb 14 '18 at 11:44

3

@jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk.

– nelaaro
Feb 14 '18 at 13:16

well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something?

– jcora
Feb 15 '18 at 15:07

I am using the Manjor distro, which was probably out of date, and causing issues for me.

– nelaaro
Feb 15 '18 at 19:09

1

@EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. --full-gen-key ensures that all files are created for you to be able to import keys to your local key ring.

– nelaaro
Aug 13 '18 at 10:01

Is this safe? Like, doesn't adding random keys whenever you have to, defeat the purpose...?

– jcora
Feb 14 '18 at 11:44

@jcora. These keys allow you to install the software you want. You need to decide if it is safe. These are third-party keys the verify that the software they have created in AUR is actually from them. Is there a possibility of a package in AUR or somewhere having malicious code yes. Which requires you to trust that the person creating the package. Beyond that, the keys verify that no one else has modified the package you received. You have to make the decision and evaluate the risk.

– nelaaro
Feb 14 '18 at 13:16

well I was confused because usually the keys for AUR packages are already automatically included on my system. Am I misunderstanding something?

– jcora
Feb 15 '18 at 15:07

I am using the Manjor distro, which was probably out of date, and causing issues for me.

– nelaaro
Feb 15 '18 at 19:09

@EnricoMariaDeAngelis the local gpg keys are not initialised, you do not have a key ring which is just a file that stores a list of keys that you have imported / accepted. --full-gen-key ensures that all files are created for you to be able to import keys to your local key ring.

– nelaaro
Aug 13 '18 at 10:01

|
show 3 more comments

draft saved

draft discarded

Thanks for contributing an answer to Super User!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Bdtyktl