When running makepkg to build a package, I get the error "ERROR: One or more PGP signatures could not be verified!" - what should I do?

gpg
makepkg
pgp
ccr

(nobody) #1

When running makepkg to build a package, I get this error:

$ makepkg -si
...
==> Verifying source file signatures with gpg...
    source.tar.xz ... FAILED (unknown public key EB5A95EC99421F98)
==> ERROR: One or more PGP signatures could not be verified!

The above output is only an example, and intentionally incomplete for the sake of #help:faq brevity. Kindly provide the complete output of commands when asking for help.

What is this, and how can I resolve the issue?


Non riesco ad installare spotify da CCR
(Hans Tovetjärn) #2

The signature checking implemented in makepkg does not use pacman's keyring, instead relying on the user’s keyring. If a signature file in the form of .sig or .asc is part of the PKGBUILD source array, makepkg automatically attempts to verify it. In case the user’s keyring does not contain the needed public key for signature verification, makepkg will abort the installation with a message that the PGP key could not be verified, like so:

==> Verifying source file signatures with gpg…
source.tar.xz … FAILED (unknown public key EB5A95EC99421F98)
==> ERROR: One or more PGP signatures could not be verified!

If a needed public key for a package is missing, the PKGBUILD will most likely contain a validpgpkeys entry with the required key IDs. You can import the key manually, or you can find it on a keyserver and import it from there. To import the key from a keyserver using gpg, search for the key by its key ID like so:

$ gpg --search-keys EB5A95EC99421F98
gpg: searching for "EB5A95EC99421F98" from hkp server keys.gnupg.net
(1)    H W Tovetjärn (totte) <totte@chakralinux.org>
       4096 bit RSA key 99421F98, created: 2016-07-05, expires: 2018-06-06

You can now import it like so:

$ gpg --receive-keys EB5A95EC99421F98

If you want to disable signature checking, you can remove the lines referring to the signature file and the validpgpkeys array in the PKGBUILD.


(Hans Tovetjärn) #3

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.