aura icon indicating copy to clipboard operation
aura copied to clipboard
verified publisher icon fosskers

Failure to verify gpg-signed source (SIGNATURE NOT FOUND)

Open kgizdov opened this issue 11 months ago • 3 comments

For some reason, when I try to build a package with aura, I get this error, but when I build it directly with makepkg, everything works. Here's the log with aura:

$ sudo aura -Aua
aura :: Fetching package information...
aura :: Comparing package versions...
aura :: AUR packages to upgrade:
 youtube-dl             :: 2021.12.17-3     -> 2021.12.17-4
aura :: Determining dependencies...
aura :: AUR packages:
 youtube-dl
aura :: Proceed? [Y/n]
aura :: Saved package state.
aura :: Preparing build directories...
aura :: Building youtube-dl...
==> Making package: youtube-dl 2021.12.17-4 (Sun 05 Jan 2025 00:43:02 EET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found youtube-dl-2021.12.17.tar.gz
  -> Found youtube-dl-2021.12.17.tar.gz.sig
==> Validating source files with sha256sums...
    youtube-dl-2021.12.17.tar.gz ... Passed
    youtube-dl-2021.12.17.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    youtube-dl-2021.12.17.tar.gz ... SIGNATURE NOT FOUND
FAILED
==> ERROR: One or more PGP signatures could not be verified!
aura :: Package failed to build, citing:

  makepkg failed.

aura :: Continue building other packages? [Y/n] n
aura :: Action cancelled.

However, with makepkg:

$ makepkg -fCod
==> Making package: youtube-dl 2021.12.17-4 (Sun 05 Jan 2025 00:43:24 EET)
==> WARNING: Skipping dependency checks.
==> Retrieving sources...
  -> Found youtube-dl-2021.12.17.tar.gz
  -> Found youtube-dl-2021.12.17.tar.gz.sig
==> Validating source files with sha256sums...
    youtube-dl-2021.12.17.tar.gz ... Passed
    youtube-dl-2021.12.17.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    youtube-dl-2021.12.17.tar.gz ... Passed
==> Removing existing $srcdir/ directory...
==> Extracting sources...
  -> Extracting youtube-dl-2021.12.17.tar.gz with bsdtar
==> Starting prepare()...
==> Sources are ready.
$ makepkg -sri
==> Making package: youtube-dl 2021.12.17-4 (Sun 05 Jan 2025 00:43:31 EET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found youtube-dl-2021.12.17.tar.gz
  -> Found youtube-dl-2021.12.17.tar.gz.sig
==> Validating source files with sha256sums...
    youtube-dl-2021.12.17.tar.gz ... Passed
    youtube-dl-2021.12.17.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
    youtube-dl-2021.12.17.tar.gz ... Passed
==> Extracting sources...
  -> Extracting youtube-dl-2021.12.17.tar.gz with bsdtar
==> Starting prepare()...
==> Starting build()...
running build
running build_py
creating build/lib/youtube_dl
copying youtube_dl/utils.py -> build/lib/youtube_dl
...
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "youtube-dl"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: youtube-dl 2021.12.17-4 (Sun 05 Jan 2025 00:43:45 EET)
==> Installing package youtube-dl with pacman -U...

kgizdov avatar Jan 04 '25 22:01 kgizdov

Try using aura without sudo.

fosskers avatar Jan 18 '25 09:01 fosskers

Try using aura without sudo.

Hi there. I'm having this same issue but I'm not using sudo.

Here is what I see on my terminal:

ikoas@ikoas: ~$ aura -Ayu

aura :: Fetching package information...
aura :: Comparing package versions...
aura :: AUR packages to upgrade:
 lib32-libjpeg6-turbo :: 1.5.3-3        -> 1.5.3-4
 libappindicator-gtk2 :: 12.10.0.r298-5 -> 12.10.0.r298-8
 libidn11             :: 1.33-2         -> 1.33-3
 libjpeg6-turbo       :: 1.5.3-2.2      -> 1.5.3-3
 libudev0-shim        :: 2-1.1          -> 2-2
 libvpx1.3            :: 1.3.0-3        -> 1.3.0-4
 peazip-qt-bin        :: 10.6.1-1       -> 10.7.0-1
 steam-native-runtime :: 1.0.0.75-4     -> 1.0.0.75-7
aura :: Determining dependencies...
aura :: AUR packages:
 gtk-sharp-2
 lib32-libjpeg6-turbo
 lib32-openssl-1.0
 libappindicator-gtk2
 libidn11
 libjpeg6-turbo
 libudev0-shim
 libvpx1.3
 openssl-1.0
 peazip-qt-bin
 steam-native-runtime
aura :: Proceed? [Y/n]
aura :: Saved package state.
aura :: Preparing build directories...
aura :: Building openssl-1.0...
==> Making package: openssl-1.0 1.0.2.u-7 (Fri 31 Oct 2025 11:59:03 AM CST)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found openssl-1.0.2u.tar.gz
  -> Found openssl-1.0.2u.tar.gz.asc
  -> Found no-rpath.patch
  -> Found ssl3-test-failure.patch
  -> Found openssl-1.0-versioned-symbols.patch
  -> Found nist-explicit-inline.patch
  -> Found updated-test-certs.patch
==> Validating source files with sha256sums...
    openssl-1.0.2u.tar.gz ... Passed
    openssl-1.0.2u.tar.gz.asc ... Skipped
    no-rpath.patch ... Passed
    ssl3-test-failure.patch ... Passed
    openssl-1.0-versioned-symbols.patch ... Passed
    nist-explicit-inline.patch ... Passed
    updated-test-certs.patch ... Passed
==> Verifying source file signatures with gpg...
    openssl-1.0.2u.tar.gz ... FAILED (unknown public key D9C4D26D0E604491)
==> ERROR: One or more PGP signatures could not be verified!
aura :: Package failed to build, citing:

  makepkg failed.

aura :: Continue building other packages? [Y/n] n
aura :: Action cancelled.

ikoas avatar Oct 31 '25 18:10 ikoas

You are missing a key in your keyring. You can either add the associated key, or turn off such checks with --skippgpcheck.

fosskers avatar Nov 03 '25 21:11 fosskers