Baph pgp key issue

Hi there,

I have an issue that you all can possibly help me with.
I was a regular user of the protonvpn community cli script. Now there is an official version on the aur called protonvpn-cli. When trying to install this package with baph, I always get a pgp error (==> ERROR: Failed to lookup key by name: A884 41BD 4864 F95B EE08 E63A 71EB 4740 1994 0E11) even though I imported the key manually and signed it as well with pacman-key. If I pacman-key --finger, the key is there but it is somehow not recognized when trying to install the package. Now I am not sure if this is an issue with baph or with my system. So I would be awesome if any of you guys could maybe try and install the protonvpn-cli package from aur via baph and let me know if it works for you?
(See this link for more information on how to manually import the provided official pgp key)
Also, I noticed that there was a recent bugfix release for baph regarding pgp keys, maybe @natemaia has an idea what’s going on?

Thanks in advance, regards

Sorry for the slow response

It doesn’t seem like the key is available from the default keyserver. The pkgbuild is also a bit strange as it uses spaces in the PGP key causing failed lookups.

I’d import it manually using the file they provide then do all the signing

curl https://repo.protonvpn.com/debian/public_key.asc -o protonkey
sudo pacman-key --add protonkey
sudo pacman-key --finger "A88441BD4864F95BEE08E63A71EB474019940E11"
sudo pacman-key --lsign-key "A88441BD4864F95BEE08E63A71EB474019940E11"

I’ve pushed another commit for baph to strip spaces from PGP keys so lookup shouldn’t fail. You should update first to get the latest and then install as if the key was never an issue.

sudo pacman -Syyu
# should now have baph v1.2
baph -inN protonvpn-cli

Hope that helps

Hey nate,

thanks a lot for your reply!
I told the protonvpn staff about the spaces in the key and asked if that might be an issue but, unfortunately, their support seems quite… well… helpless sometimes, I guess and they couldn’t really give me a solid comment on this matter.
I did import the key manually before and signed it as well, but it still didn’t work when trying to install with baph, as I mentioned in the original post.

I tried pacman -Syyu to update baph but it now gives me a pgp key error for your key, which it has not done before?

:: Import PGP key B81EB14A09A25EB0, "Nathaniel Maia <natemaia10@gmail.com>"? [Y/n] y
error: key "B81EB14A09A25EB0" could not be looked up remotely
error: required key missing from keyring
error: failed to commit transaction (unexpected error)

No worries and sorry for the delay.

Hmm, we had some others with issues like this and our keyring hasn’t had an update in years so I just updated it and pushed the new package but you may have to manually install it, try this guide.

Failing that can you post the keyserver you’re using

grep 'keyserver ' /etc/pacman.d/gnupg/gpg.conf

I’m having issues sending my key to the default keyserver so you could try changing it to hkp://pgp.mit.edu or hkp://keyserver.ubuntu.com and try again.

Lemme know if you run into issues, just @me or respond to this or I don’t get a notification and will have to remember to come back and check for replies.

Thanks for the continued support!
So I have tried to make the linked guide by dobbie work with a specific keyserver and setting. Don’t ask me why but I seem to need this flag to make it work: --keyserver hkp://keyserver.ubuntu.com:80
So I imported all the keys as described in Dobbie’s post but then the following happens:

Packages (1) archlabs-keyring-2021.07.11-1

Total Installed Size:   0.01 MiB
Net Upgrade Size:      -0.02 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                                                                                      [------------------------------------------------------------------------------------------------------] 100%
(1/1) checking package integrity                                                                                                                                    [------------------------------------------------------------------------------------------------------] 100%
error: archlabs-keyring: signature from "Nathaniel Maia <natemaia10@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/archlabs-keyring-2021.07.11-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y

Any idea why it errors out here now after successfully importing all the keys?

Previous post/edits

So the guide by dobby that you linked does not work for me.
I cleared the cache but then e.g. gpg --receive-keys AEFB411B072836CD48FF0381AE252C284B5DBA5D gives me gpg: keyserver receive failed: Server indicated a failure.
grep 'keyserver ' /etc/pacman.d/gnupg/gpg.conf gave me no specific keyserver, so I set it first to one, then to to the other option you mentioned (I added e.g. keyserver hkp://gpg.mit.edu to the gpg.conf) but the same error (see above) kept coming up when trying to receive keys.
Also, this failed as well with the same error: gpg --keyserver hkp://gpg.mit.edu --receive-keys AEFB411B072836CD48FF0381AE252C284B5DBA5D

Setting SigLevel = Optional TrustAll seems a bit counter-intuitive to me, so I have not done that.

edit: Rebooting changed nothing. I also noticed the archlabs-keyring update but the same error occurs:

Packages (1) archlabs-keyring-2021.07.11-1

Total Installed Size:   0.01 MiB
Net Upgrade Size:      -0.02 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                                                                                      [------------------------------------------------------------------------------------------------------] 100%
downloading required keys...
:: Import PGP key B81EB14A09A25EB0, "Nathaniel Maia <natemaia10@gmail.com>"? [Y/n] y
error: key "B81EB14A09A25EB0" could not be looked up remotely
error: required key missing from keyring
error: failed to commit transaction (unexpected error)

So there definitely seems to an issue with a keyserver setting that might be specific to me but then again I never bothered with any gpg settings changes or anything regarding pgp really, as so far everything just always worked.

edit2: I also tried setting a fixed port and a keyserver and certificate in the dirmngr.conf as described here: GnuPG - ArchWiki
All to no avail, unfortunately.

What a mess, have you used pacman-key --lsign-key KEYID with my key (9E4F11C6A072942A7B3FD3B0B81EB14A09A25EB0)? Give that a shot. I’m guessing you could also manually install the keyring with pacman -U.

I’m at work for another ~6hrs but I can look into it more after.

1 Like

Signing the key indeed did the trick. Afterwards I was able to install the new keyring and the baph update without any more pgp errors, so that’s awesome!
protonvpn-cli does still not work for me but that definitely has nothing to do with baph or pgp keys anymore now as we excluded that possibility.
Thanks a lot for your patience and time, @natemaia! Always much appreciated.

1 Like

I dunno where to post this here, but I am getting this on pacman and baph, and even yay:

error: spdlog: signature from “Brett Cornwall brett@i--b.com” is unknown trust
:: File /var/cache/pacman/pkg/spdlog-1.9.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
error installing repo packages

That sux @drummer

Is that after @natemaia s last pgpkey post ! If not ou might try it out later & see what it does, maybe the repo that you use isn t updated.

Edit: From @natemaia s last post;

What a mess, have you used pacman-key --lsign-key KEYID with my key (9E4F11C6A072942A7B3FD3B0B81EB14A09A25EB0)? Give that a shot. I’m guessing you could also manually install the keyring with pacman -U.

1 Like

I’ll try that next time I boot into AL. I’ll give the skinny here if that worked.

1 Like

Ok cool, hopefully it will do the trick !

1 Like

If you have to use spdlog, manually install Brett’s key, “eddsa263be2dbcf2b1e3e588ac325aeaa06b49470f8e620a”

then update the system.

1 Like

Update: the issue was waybar-git, with spdlog as a dependency. Uninstalled both, everything updated just swimmingly.

2 Likes

Glad that you fixed it @drummer

1 Like