Asked to import PGP key during Brave upgrade

S

Snobbias

New Member
Joined
Dec 4, 2020
Messages
16
Reaction score
5
Credits
178
I'm on Manjaro, and I was notified Brave needs to be updated. It's from the AUR repository. While upgrading, I get a popup with this text:

The PGP key A66D805F7C9329B4C5D82767CCC4F07FAC641EFF is needed to verify python2-xcb-proto source files.
Trust Daniel Stone <[email protected]> and import the PGP key ?

Since I don't know Daniel Stone I cancelled and tried to continue, but the upgrade failed. After a bit of searching I ran a few commands to update my manjaro keyring, but I still got the above question when trying to install. Is this a security issue? Maybe better to uninstall completely and start from scratch?
 


They key is available on a publickey server, try importing the publickey.
gpg --import A66D805F7C9329B4C5D82767CCC4F07FAC641EFF
Click to expand...
Also keep in mind that it's up to you whether you trust the packager or not, I usually decide based on the number of votes, the popularity and the PKGBUILD file whether I trust the AUR package or not. AUR has a disclaimer: "AUR packages are user produced content. Any use of the provided files is at your own risk."
 
Last edited:
f33dm3bits said:
They key is available on a publickey server, try importing the publickey.
Click to expand...

Thank you! So if the key can be found on the public key server, it should be safe to add? Sorry if my questions are stupid. I'm so used to digitally signed certificates from Windows.
 
From what I know it works something like this. A person generates a key pair, private and public, the public key generated is based on the private key since the public key is based off the private key it verifies that the private key used to sign something something was actually signed by that key. I don't know much about AUR package building but from what I can tell is that PKGBUILD is a package scripting format and in a section it calls and checks the public key to verify that person since the public key belongs to the private key owned by that person. So I would say yes, since you are able verify that public key belongs to that person but it's actually a bit more complicated what I explained was basically the basic. I'm not an expert myself but you can have a read here if you want to know more about key pair encryption and there probably other people here on the forums that know more about encryption than me and security forums with people that are experts in this area.
 
f33dm3bits said:
From what I know it works something like this. A person generates a key pair, private and public, the public key generated is based on the private key since the public key is based off the private key it verifies that the private key used to sign something something was actually signed by that key. I don't know much about AUR package building but from what I can tell is that PKGBUILD is a package scripting format and in a section it calls and checks the public key to verify that person since the public key belongs to the private key owned by that person. So I would say yes, since you are able verify that public key belongs to that person but it's actually a bit more complicated what I explained was basically the basic. I'm not an expert myself but you can have a read here if you want to know more about key pair encryption and there probably other people here on the forums that know more about encryption than me and security forums with people that are experts in this area.
Click to expand...
Thanks for trying to help me. Yes, I looked inside the PKGBUILD script during upgrade and it included these two lines:

validpgpkeys=('A66D805F7C9329B4C5D82767CCC4F07FAC641EFF') # "Daniel Stone <[email protected]>"
validpgpkeys+=('3BB639E56F861FA2E86505690FDD682D974CA72A') # "Matt Turner <[email protected]>"
The problem I'm facing now is that the latter key can't even be added to my keyring so the "python2-xcb-proto" upgrade fails, hence Brave can't be updated:

Trust Matt Turner <[email protected]> and import the PGP key ? [y/N] y
gpg: keyserver receive failed: Input/output error

Error: key 3BB639E56F861FA2E86505690FDD682D974CA72A could not be imported
Warning: pamac-cli: local (10.0.0-1) is newer than extra (9.5.12-1)
Warning: pamac-common: local (10.0.0-1) is newer than extra (9.5.12-2)
Warning: pamac-flatpak-plugin: local (10.0.0-1) is newer than extra (9.5.12-1)
Warning: pamac-gtk: local (10.0.0-1) is newer than extra (9.5.12-1)
Warning: pamac-snap-plugin: local (10.0.0-1) is newer than extra (9.5.12-1)
Resolving dependencies...
Checking inter-conflicts...

To build (2):
python2-xcb-proto 1.14-1 AUR
brave 1.17.75-1 (1.16.67-1) AUR
I followed a guide on https://wiki.manjaro.org/index.php/Pacman_troubleshooting to completely remove all my keys and start fresh but it didn't help. Not sure if pamac and pacman use different keyrings?

Still very confused about keyrings since there seem to be many different variants. But why keep it simple? :)
 
f33dm3bits said:
Try doing it like this.

First one to search for the key and second one to import the key, you can also try to do it without the https://keyserver.ubuntu.com to see if they key is available in one of the keyservers already used by the system.
Click to expand...

Thanks! I think you solved it for me. Only I had to use keys.gnupg.net instead since it couldn't be found on the other keyserver. Now it's working in a terminal. It's downloading a huge file as we speak, around 30 GB which seems a bit weird but at least I got past the key errors. I will stay away from the AUR repository in the future.

Edit: Actually the update didn't work. I "solved" it by going back to Firefox :)
 
Last edited:
That sounds kind of big for a webbrowser! That isn't a solution but a work around ;), I've always used Firefox never liked any other browser as much as I do Firefox. I've never had any problems with packages from AUR but I tend to be selective of what packages I use and I try limit the packages I use from AUR to the least amount possible.
 
You must log in or register to reply here.

Staff online

Members online

Total: 964 (members: 4, guests: 960)

Latest posts

Top