Page MenuHome GnuPG
Create Task
Maniphest T3096

Arch Linux Keys bug
Closed, ResolvedPublic
Actions

Description

pacman-key --refresh-keys no longer completes the process. Errors out.

Additional info:

  • package version(s)
  • config and/or log files etc.

Steps to reproduce:
pacman-key --refresh-keys
gpg: refreshing 91 keys from hkp://pool.sks-keyservers.net
gpg: key B61DBCE10901C163: "Balló György <ballogyor@gmail.com>" 1 new signature
gpg: key 4AC5588F941C2A25: "Antonio Rojas <arojas@archlinux.org>" 1 new signature
gpg: key FCF3C8CB5CF9C8D4: "Alexander Rødseth <rodseth@gmail.com>" 1 new signature
gpg: key 9D893EC4DAAF9129: "Bruno Pagani <bruno.pagani@ens-lyon.org>" 110 new signatures
gpg: key 2E89012331361F01: "Evgeniy Alekseev <arcanis@archlinux.org>" 5 new signatures
gpg: key FC1B547C8D8172C8: "Levente Polyak (anthraxx) <levente@leventepolyak.net>" 95 new signatures
gpg: key 42A1DB15EC133BAD: "Angel Velásquez <angvp@archlinux.org>" 1 new signature
gpg: key 94657AB20F2A092B: "Andreas Radke <andyrtr@archlinux.org>" 2 new signatures
gpg: key F3E1D5C5D30DB0AD: "Andrea Scarpino <me@andreascarpino.it>" 359 new signatures
gpg: key B02854ED753E0F1F: "Anatol Pomozov <anatol.pomozov@gmail.com>" 4 new signatures
gpg: key 9BDCF497A4BBCC7F: "Ambrevar <ambrevar@gmail.com>" 2 new signatures
gpg: key AFF5D95098BC6FF5: "Maxime Gauduin <alucryd@alucryd.xyz>" 1 new signature
gpg: key F99FFE0FEAE999BD: "Allan McRae <me@allanmcrae.com>" 6 new signatures
gpg: key 40F557B731496106: "Andrzej Giniewicz (giniu) <gginiu@gmail.com>" 1 new signature
gpg: key A04F9397CDFD6BB0: "Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>" 7 new signatures
gpg: key 5184252D824B18E8: "Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>" 6 new signatures
gpg: key 3348882F6AC6A4C2: "Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>" 7 new signatures
gpg: key 7EFD567D4C7EA887: "Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>" 5 new signatures
gpg: key A88E23E377514E00: "Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>" 3 new signatures
gpg: key BA1DFB64FFF979E7: "Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>" 12 new signatures
gpg: key DB323392796CA067: "Ike Devolder <ike.devolder@gmail.com>" 2 new signatures
gpg: key E8F18BA1615137BC: "Ionut Biru <ibiru@archlinux.org>" 6 new signatures
gpg: key A5E9288C4FA415FA: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" 161 new signatures
gpg: key DA6426DD215B37AD: "Guillaume ALAUX <guillaume@archlinux.org>" 197 new signatures
gpg: key F22FB1D78A77AEAB: "Giancarlo Razzolini (grazzolini) <grazzolini@archlinux.org>" 1 new signature
gpg: key B7310AE5F04569AE: "Giovanni Scafora <giovanni@archlinux.org>" 13 new signatures
gpg: key 786C63F330D7CB92: "Felix Yan <felixonmars@gmail.com>" 270 new signatures
gpg: key 51E8B148A9999C34: "Evangelos Foutras <evangelos@foutrelis.com>" 11 new signatures
gpg: key 90CB3D62C13D4796: "Jiachen Yang <farseerfc@gmail.com>" 4 new signatures
gpg: key 59B3122E2FA915EC: "Alexandre Filgueira <alexfilgueira@cinnarch.com>" 1 new signature
gpg: key A6234074498E9CEE: "Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>" 64 new signatures
gpg: key FCF2CB179205AC90: "Eric Belanger <eric@archlinux.org>" 1 new signature
gpg: key 5FA5E5544F010D48: "Daniel Wallace <danielwallace@gtmanfred.com>" 7 new signatures
gpg: key 1EB2638FF56C0C53: "Dave Reisner <d@falconindy.com>" 10 new signatures
gpg: key 5ED514A45BD5C938: "Gerardo Exequiel Pozzi <vmlinuz386@gmail.com>" 7 new signatures
gpg: key E613C09CB4440678: "Daniel Isenmann <daniel@archlinux.org>" 1 new signature
gpg: key 5C2E46A0F53A76ED: "Dan McGee <dpmcgee@gmail.com>" 17 new signatures
gpg: key D53A0445B47A0DAB: "Connor Behan <connor.behan@gmail.com>" 1 new signature
gpg: key BBE43771487328A9: "Bartlomiej Piotrowski <b@bpiotrowski.pl>" 12 new signatures
gpg: key 6D1655C14CE1C13E: "Florian Pritz <bluewind@xinu.at>" 52 new signatures
gpg: key E62F853100F0D0F0: "Gaetan Bisson <gaetan@fenua.org>" 116 new signatures
gpg: key CF7037A4F27FB7DA: "speps <speps@aur.archlinux.org>" 5 new signatures
gpg: key D21461E3DFE2060D: "Christian Rebischke (Arch Linux Security Team-Member) <Chris.Rebischke@archlinux.org>" 21 new signatures
gpg: key 8DBD63B82072D77A: "Sébastien Luttringer <seblu@seblu.net>" 17 new signatures
gpg: key 456C7A9B91B842AE: "Jakob Gruber <jakob.gruber@gmail.com>" 1 new signature
gpg: key 81AF739EC0711BF1: "Rashif Rahman (Ray) <schiv@archlinux.org>" 1 new signature
gpg: key 426991CD8406FFF3: "Ronald van Haren <ronald@archlinux.org>" 1 new signature
gpg: key 206CBC892D1493D2: "Rémy Oudompheng <remy@archlinux.org>" 12 new signatures
gpg: key 7F2D434B9741E8AC: "Pierre Schmitz <pierre@archlinux.de>" 18 new signatures
gpg: key 51DAE9B7C1AE9161: "NicoHood <pgp@nicohood.de>" 1 new user ID
gpg: key 51DAE9B7C1AE9161: "NicoHood <pgp@nicohood.de>" 3 new signatures
gpg: key B4360204B250F0D3: "Fabio Castelli <muflone@vbsimple.net>" 100 new signatures
gpg: key 94DD2393DA2EE423: "Massimiliano Torromeo (Personal non-work identity) <massimiliano.torromeo@gmail.com>" 2 new signatures
gpg: key A91764759326B440: "Lukas Fleischer <lfleischer@lfos.de>" 26 new signatures
gpg: key 06096A6AD1CEDDAC: "Laurent Carlier <lordheavym@gmail.com>" 1 new signature
gpg: key 50FB9B273A9D0BB5: "Johannes Löthberg <johannes@kyriasis.com>" 21 new signatures
gpg: key 396E3E25BAB142C1: "Kyle Keen <keenerd@gmail.com>" 1 new signature
gpg: key A3D9562A589874AB: "Jürgen Hötzel <juergen@hoetzel.info>" 2 new signatures
gpg: key 332C9C40F40D2072: "Jonathan Steel <mail@jsteel.org>" 5 new signatures
gpg: key 24E4CDB0013C2580: "Jaroslav Lichtblau <svetlemodry@archlinux.org>" 4 new signatures
gpg: key 37E0AF1FDA48F373: "Jerome Leclanche <jerome@leclan.ch>" 6 new signatures
gpg: key 976AC6FA3B94FA10: "Jan de Groot <info@jandegrootict.nl>" 2 new signatures
gpg: key C06086337C50773E: "Jelle van der Waa <jelle@vdwaa.nl>" 3 new signatures
gpg: key 654B877A0864983E: "Martin Wimpress (http://www.flexion.org) <martin@flexion.org>" 19 new signatures
gpg: key F2DBB4931985A992: "Dieter Plaetinck <dieter@plaetinck.be>" 6 new signatures
gpg: key 761FAD69BA06C6A9: "Dicebot <public@dicebot.lv>" 5 new signatures
gpg: key A001876699AD6E84: "Gavin Marciniak-Bisesi <Daenyth@gmail.com>" 13 new signatures
gpg: key E6B456CAF15447D5: "Federico Cinelli <cinelli@aur.archlinux.org>" 11 new signatures
gpg: key E2539214C6C11350: "Federico Cinelli <cinelli.federico@gmail.com>" 5 new signatures
gpg: key 7F2A16726521E06D: "Christopher Brannon <chris@the-brannons.com>" 12 new signatures
gpg: key 1F0CD4921ECAA030: "Baptiste Jonglez <baptiste@bitsofnetworks.org>" 94 new signatures
gpg: key 1D1F0DC78F173680: "Xyne. (key #3) <xyne@archlinux.ca>" 4 new signatures
gpg: key 097D629E437520BD: "Vesa Kaihlavirta <vegai@iki.fi>" 1 new signature
gpg: key 39E4F17F295AFBF4: "Thorsten Töpper <atsutane@freethoughts.de>" 132 new signatures
gpg: key E711306E3C4F88BC: "Timothy Redaelli <timothy.redaelli@gmail.com>" 6 new signatures
gpg: key 771DF6627EDF681F: "Tobias Powalowski <tobias.powalowski@googlemail.com>" 7 new signatures
gpg: key C8880A6406361833: "Tom Gundersen <teg@jklm.no>" 5 new signatures
gpg: key 284FC34C8E4B1A25: "Thomas Bächler <thomas.baechler@gmx.de>" 6 new signatures
gpg: key F9E712E59AF5F22A: "Daniel Micay <danielmicay@gmail.com>" 6 new signatures
gpg: key C847B6AEB0544167: "Nicola Squartini <tensor5@gmail.com>" not changed
gpg: key 7FB1A3800C84C0A5: "Thomas Dziedzic <gostrc@gmail.com>" 1 new signature
gpg: key 39E4B877E62EB915: "Sven-Hendrik Haase <svenstaro@gmail.com>" 1 new signature
gpg: key 73B8ED52F1D357C1: "Lukas Jirkovsky <l.jirkovsky@gmail.com>" 1 new signature
gpg: key 65C110C1EA433FC7: "Sergej Pupykin <arch@sergej.pp.ru>" 4 new signatures
gpg: key 5CED81B7C2E5C0D2: "Xyne. <xyne@archlinux.ca>" 6 new signatures
gpg: key EA6836E1AB441196: "Stéphane Gaudreault <stephane@archlinux.org>" 6 new signatures
gpg: key 3A726C6170E80477: "Роман Кирилич (Roman Kyrylych) <roman@archlinux.org>" 5 new signatures
gpg: key 6D1A9E70E19DAA50: "Peter Richard Lewis <pete@muddygoat.org>" 153 new signatures
gpg: key B9113D1ED21E1A55: "Kaiting Chen <kaitocracy@gmail.com>" 5 new signatures
gpg: key 5F946DED983D4366: "Justin Davis (juster) <jrcd83@gmail.com>" 8 new signatures
gpg: key AF7EF7873CFD4BB6: "Jonathan Conder <jonno.conder@gmail.com>" 5 new signatures
gpg: Total number processed: 90
gpg: unchanged: 1
gpg: new user IDs: 1
gpg: new signatures: 2362
gpg: [don't know]: invalid packet (ctb=1e)
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: keydb_get_keyblock failed: Invalid keyring
gpg: keydb_search failed: Invalid keyring
gpg: [don't know]: invalid packet (ctb=0a)
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: keydb_get_keyblock failed: Invalid keyring
gpg: keydb_search failed: Invalid keyring
gpg: packet(13) too large
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: keyring_get_keyblock failed: Invalid keyring
gpg: failed to rebuild keyring cache: Invalid keyring
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: packet(13) too large
gpg: keyring_get_keyblock: read error: Invalid packet
gpg: keydb_get_keyblock failed: Invalid keyring
gpg: validate_key_list failed

> ERROR: A specified local key could not be updated from a keyserver.

Revisions and Commits

rG GnuPG
rG116cfd60779f g10: invalidate the fd cache for keyring.

Related Objects

Event Timeline

msifland created this task.Apr 19 2017, 3:37 PM
msifland created this object in space S1 Public.
gniibe added a project: Info Needed.Apr 20 2017, 1:29 AM
gniibe added a subscriber: gniibe.

Could you please give us more information so that we can locate the issue?
I did following, but I can't replicate the problem.
(1) Save 91 of key fingerprints listed in your log to a file (arch-keys.txt). From B61DBCE10901C163 to AF7EF7873CFD4BB6
(2) Make a new directory (arch-test).
(3) Run a command

$ gpg --homedir=arch-test --recv-keys $(cat arch-keys.txt )

It goes well with no problem. So, I think that merely downloading those keys can't reproduce.
We need your existing keyring to reproduce.
Please upload public keyring if possible.

gniibe triaged this task as Normal priority.Apr 20 2017, 1:31 AM
gniibe added projects: gnupg (gpg21), Arch.
msifland added a comment.Apr 20 2017, 2:15 AM

pubring.gpg15 MBDownload

I tried what you listed above and it worked, just like you said. I have uploaded my public keyring to look at. But other users are having this problem as well. Thanks.

gniibe added a comment.Apr 20 2017, 3:48 AM

Thanks. But it's wrong keyring, I suppose. What we need is not your own public keyring, but the public keyring which pacman uses.
IIUC, please upload the one in /etc/pacman.d/gnupg.

msifland added a comment.Apr 20 2017, 4:17 AM

That is the one I uploaded...

gniibe added a comment.Apr 20 2017, 4:20 AM

Odd. I used the pubring.gpg you uploaded.
Refresh-keys successfully retrieve keys like:

gpg: Total number processed: 90
gpg:              unchanged: 58
gpg:         new signatures: 789
gpg: no ultimately trusted keys found

Apparently, it's not same pubring. In your original report, new signatures are 2362.

msifland added a comment.Apr 21 2017, 3:51 AM

I went through and was receiving keys individually just to see if it would work, and all of them work, except the:

pub rsa2048 2017-04-21 [SC]

7D78C64EE7B53F20CA2023E174695FC5AFD26845

uid [ultimate] Pacman Keyring Master Key <pacman@localhost>

That is the one that is causing the problem here.
Error:

sudo pacman-key --recv-keys 7D78C64EE7B53F20CA2023E174695FC5AFD26845
gpg: keyserver receive failed: No data

> ERROR: Remote key not fetched correctly from keyserver.

gniibe added a comment.Apr 21 2017, 4:26 AM

Thank you for additional info.
gpg --recv-keys can fail when we have network problem or dirmngr doesn't work well.
I think that the failure of your original report is that it goes something wrong when it merge keys into existing keys.
It helps me if you have the pubring.gpg BEFORE you invoked "pacman-key --refresh-keys".

msifland added a comment.EditedApr 22 2017, 5:55 PM

pubring.gpg665 KBDownload

Here is the keyring before the refresh. Also when I downgrade gnupg to gnupg-2.1.19-1-x86_64, then everything works fine again. This is only happening on the latest release.

gniibe added a comment.Apr 24 2017, 6:30 AM

Thanks a lot!

With the pubring, I think I located an issue.
Reverting the commit fixes the problem for me: rG5556eca5acd4: gpg: Avoid multiple open calls to the keybox file.
Here is my proposed patch:

keyring-iobuf-invalidate-2017-04-24.diff632 BDownload

msifland added a comment.Apr 24 2017, 3:49 PM

Cool. Thanks for your work here. Where would I apply this patch, or should I just wait until you guys have it fixed?

gniibe edited projects, added In Progress; removed Info Needed.Apr 24 2017, 11:59 PM

keyring-iobuf-invalidate-2017-04-24.diff632 BDownload
is for master branch. I think that it can be applied to 2.1.20, too.
I'm going to commit this patch today.

gniibe claimed this task.Apr 25 2017, 12:53 AM

Pushed: rG116cfd60779f: g10: invalidate the fd cache for keyring.

gniibe added a commit: rG116cfd60779f: g10: invalidate the fd cache for keyring..Apr 25 2017, 3:30 AM
gniibe closed this task as Resolved.May 16 2017, 1:25 AM

Fixed in 2.1.21.

gniibe mentioned this in T3371: Ohhhh jeeee: ... this is a bug (getkey.c:3284:merge_selfsigs).Sep 5 2017, 12:10 PM