You are not logged in.

Pages: 1

#1 2026-03-25 20:34:33

clxxiii
Member
Registered: 2022-12-12
Posts: 4

PGP verification is failing despite linking correct key and signature

I have a PKGBUILD that looks as follows:

_pkgname='jreleaser'
pkgname=${_pkgname}-bin
pkgver='1.23.0'
pkgrel='2'
pkgdesc='An automation tool for Java and non-Java projects for creating releases and publishing artifacts.'
url='https://github.com/jreleaser/jreleaser'
license=('Apache-2.0')
arch=('x86_64' 'aarch64')

depends=(
  'glibc'
  'zlib'
)
optdepends=(
  'docker: Release docker images'
)
makedepends=(
  'unzip'
)

conflicts=(${_pkgname})
provides=(${_pkgname})

source_x86_64=("${url}/releases/download/v${pkgver}/${_pkgname}-native-${pkgver}-linux-x86_64.zip"{,.asc})
source_aarch64=("${url}/releases/download/v${pkgver}/${_pkgname}-native-${pkgver}-linux-aarch64.zip"{,.asc})
sha256sums_x86_64=('0cecc7d88a1645c6b3350e755f618fc8a2a507187012a2f265f6c0880a178ef5' 'SKIP')
sha256sums_aarch64=('e597095746e53a2e69681ee8c1e8e8b8548ced186a3241f9ef2707f8cde033e5' 'SKIP')

validpgpkeys=('F1D5F6A91C86B0702CD0734BCCC55C5167419ADB')

For the pgp verification, I referenced mullvad's PKGBUILD to see how they did it, and everything seems to match. However, running `makepkg -Csfi` yields the following issue:

==> Retrieving sources...
  -> Found jreleaser-native-1.23.0-linux-x86_64.zip
  -> Found jreleaser-native-1.23.0-linux-x86_64.zip.asc
==> Validating source_x86_64 files with sha256sums...
    jreleaser-native-1.23.0-linux-x86_64.zip ... Passed
    jreleaser-native-1.23.0-linux-x86_64.zip.asc ... Skipped
==> Verifying source file signatures with gpg...
    jreleaser-native-1.23.0-linux-x86_64.zip ... SIGNATURE NOT FOUND
FAILED
==> ERROR: One or more PGP signatures could not be verified!

I have the key imported, and manually verifying the file using `gpg --verify jreleaser-native-1.23.0-linux-x86_64.zip.asc` outputs this:

gpg: assuming signed data in 'jreleaser-native-1.23.0-linux-x86_64.zip'
gpg: Signature made Sat 28 Feb 2026 02:46:34 AM EST
gpg:                using RSA key CCC55C5167419ADB
gpg: Good signature from "Andres Almiray <aalmiray@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F1D5 F6A9 1C86 B070 2CD0  734B CCC5 5C51 6741 9ADB

Which is also what mullvad's package outputs, so I'm not sure what's going wrong or how I can fix it

Offline

#2 2026-03-25 23:40:46

Scimmia
Fellow
Registered: 2012-09-01
Posts: 13,712

Re: PGP verification is failing despite linking correct key and signature

makepkg verifies with gpg's --batch option, which fails in this case. Not sure why, though.

gpg: indeterminate length packet of type 8 in detached signature
gpg: [don't know]: invalid packet (ctb=00)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

Offline

#3 2026-03-26 10:48:47

progandy
Member
Registered: 2012-05-17
Posts: 5,307

Re: PGP verification is failing despite linking correct key and signature

The signature has an invalid packet at the start, no idea why. The batch mode seems to be unable to handle it.

 % gpg --list-packets jreleaser-native-1.23.0-linux-x86_64.zip.asc
# off=0 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=0
# off=2 ctb=c2 tag=2 hlen=3 plen=540 new-ctb
:signature packet: algo 1, keyid CCC55C5167419ADB
	version 4, created 1772264794, md5len 0, sigclass 0x00
	digest algo 2, begin of digest 57 c8
	critical hashed subpkt 2 len 4 (sig created 2026-02-28)
	subpkt 16 len 8 (issuer key ID CCC55C5167419ADB)
	data: [4095 bits]

% CUTF gpg --verify --batch jreleaser-native-1.23.0-linux-x86_64.zip.asc jreleaser-native-1.23.0-linux-x86_64.zip
gpg: indeterminate length packet of type 8 in detached signature
gpg: [don't know]: invalid packet (ctb=00)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

% gpg -o - --dearmor jreleaser-native-1.23.0-linux-x86_64.zip.asc | tail -c +3 >fixed.gpg

% gpg --list-packets fixed.gpg                                                           
# off=0 ctb=c2 tag=2 hlen=3 plen=540 new-ctb
:signature packet: algo 1, keyid CCC55C5167419ADB
	version 4, created 1772264794, md5len 0, sigclass 0x00
	digest algo 2, begin of digest 57 c8
	critical hashed subpkt 2 len 4 (sig created 2026-02-28)
	subpkt 16 len 8 (issuer key ID CCC55C5167419ADB)
	data: [4095 bits]

 % CUTF gpg --verify --batch fixed.gpg jreleaser-native-1.23.0-linux-x86_64.zip 
gpg: Signature made 2026-02-28 W09-6 08:46:34 +0100 CET
gpg:                using RSA key CCC55C5167419ADB
gpg: Good signature from "Andres Almiray <aalmiray@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: F1D5 F6A9 1C86 B070 2CD0  734B CCC5 5C51 6741 9ADB

Last edited by progandy (2026-03-26 10:49:28)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |

Offline

#4 2026-03-26 21:04:22

clxxiii
Member
Registered: 2022-12-12
Posts: 4

Re: PGP verification is failing despite linking correct key and signature

progandy wrote:

The signature has an invalid packet at the start, no idea why. The batch mode seems to be unable to handle it.

Weird hmm

What I could do is add the fixer command you supplied in a `prepare()` function, if I really wanted to get the signature to work, but modifying the signature feels wrong. Should I modify the signature & do a checksum on the .asc file, or should I just leave the package unsigned until a new release (maybe) fixes it,

Offline

Pages: 1

Board footer

Powered by FluxBB