Arch Missing Key Issue & Resolution

Photo: Andy Crouch

So over the last week, a new version of libopenssl-1.0-compat hit Arch’s Aur repo’s and for some, it caused a world of pain. Imagine the horror at Spotify not working!

The image above shows the error message I am referring to. The issue was caused due to an unknown PGP key. Actually, as I will come to in a moment it was two unknown PGP keys.

To understand how the PGP signing works in Arch this article by Allan Mcrae is essential reading. If read it actually gives the answer to the issues. As some people skim read things I will highlight the solution:

If you want to allow the installation of package files from a non-official repository, you need to either disable signature verification (don’t do that…), or trust the packagers signing key. To do this you first need to verify their key ID, which should be well publicized. Then you import it into the pacman keyring using “pacman-key –recv-key ” and signify that you trust the key by locally signing it with your pamcan root key by running “pacman-key --lsign “.</em>

pacman will output the name of the package for which the key is unknown. This allows you to check the value of the validpgpkeys array in the packages pkgbuild file. By following the steps above and replacing <KEYID> with the values in the validpgpkeys array you will authenticate the key. Retrying to install or upgrade the package will now work.

In the case of the libopenssl-1.0-compat library the key for that package was invalid and the key for curl 7.54.0-2 was also invalid. The snippet below fixes both issues:

$ gpg --recv-keys '8657ABB260F056B1E5190839D9C4D26D0E604491' 
$ gpg --recv-keys '27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2'            

(Obviously these keys were correct at the time of writing and should be verified before you add them)