A note on using GPG signatures in PKGBUILDs...

Posted
Comments None

I use GPG signatures for all sources for all my packages in the AUR.

I may go into more detail about why this is a good idea later, BUT if you’re a user and you’re stuck on makepkg-ing and keep getting an error (or multiple errors) that looks like:

some.file … FAILED (unknown public key 8C004C2F93481F6B)

Then you need to import my public key. This needs to be done by the user doing the package building:

gpg --keyserver pool.sks-keyservers.net --recv 8C004C2F93481F6B

This will not sign my public key0, NOR will it add trust to them. It simply keeps a copy of my public key on your local computer so you (or, in this case, makepkg) can verify the file(s). (For further information on my GPG key, please see this article.

If you do NOT want this behaviour, you have several options:

  • makepkg --skippgpcheck
    • This will have makepkg use the SHA512 checksums I include in my packages instead to verify sources.
    • If you don’t want that EITHER, you can do either makepkg --skippgpcheck --skipchecksums OR the more succinct makepkg --skipinteg
  • use an AUR helper such as apacman that will let you import the key but only temporarily for the build, or skip it, etc.
  • edit the PKGBUILD manually and remove the .sig files from the source arrays (remember to remove their corresponding ‘SKIP’ entries in the SHA512 checksum arrays), and rm *.sig

0 BUT you are certainly welcome to!
Proof of identity here and here.
I am also on Keybase.io – and have invites I need to get rid of, too! Feel free to ask me for one!

Author
Categories AUR, InfoSec

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.





← Older Newer →