Articles

Unable to import GPG key

View project on GitHub

Unable to import a GPG key during the updates installation

This guide refers to a particular issue, due to impossibility to import a GPG key. This procedure must not be used if you simply have a problem with a non-existent or an unrecognized GPG key.

Introduction

While trying to update an old Arch Linux installation, I’ve received an issue related to an old GPG key:

[root@vboxarch ~]# pacman -Su
:: Starting full system upgrade...
resolving dependencies...
warning: dependency cycle detected:
warning: harfbuzz will be installed before its freetype2 dependency
warning: dependency cycle detected:
warning: libglvnd will be installed before its mesa dependency
looking for inter-conflicts...

Packages (235): acl-2.2.52-4  argon2-20171227-3  attr-2.4.47-3  autoconf-2.69-4
automake-1.15.1-1  bash-4.4.019-1  binutils-2.29.1-3  bison-3.0.4-3  bzip2-1.0.6-7
ca-certificates-20170307-1 ca-certificates-cacert-20140824-4
ca-certificates-mozilla-3.36-1  ca-certificates-utils-20170307-1  coreutils-8.29-1
cracklib-2.9.6-1  cryptsetup-2.0.2-1  curl-7.59.0-2
...

Total Installed Size:   1311.00 MiB
Net Upgrade Size:       613.98 MiB

:: Proceed with installation? [Y/n] 
(221/221) checking keys in keyring                           [################################] 100%
downloading required keys...
:: Import PGP key 256/, "Gaetan Bisson <bisson@gaati.org>", created: 1998-03-24? [Y/n] Y
error: key "Gaetan Bisson <bisson@gaati.org>" could not be imported
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.

The last 5 lines report an error when importing the GPG key of an Arch Linux developer: Gaetan Bisson.

Attempts to get around the problem

The first attempt was to reinstall the keyring with all the Arch Linux developers and maintainers keys:

[root@vboxarch ~]# pacman -S archlinux-keyring
resolving dependencies...
looking for inter-conflicts...

Packages (1): archlinux-keyring-20180404-1

Total Installed Size:   0.90 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                               [################################] 100%
(1/1) checking package integrity                             [################################] 100%
(1/1) loading package files                                  [################################] 100%
(1/1) checking for file conflicts                            [################################] 100%
(1/1) checking available disk space                          [################################] 100%
(1/1) reinstalling archlinux-keyring                         [################################] 100%
==> Appending keys from archlinux.gpg...
gpg: key EE2EEEEE: no valid user IDs
gpg: key B9B7018A: no valid user IDs
==> Locally signing trusted keys in keyring...
  -> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
  -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
...
==> Importing owner trust values...
==> Disabling revoked keys in keyring...
  -> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
...
==> Updating trust database...
gpg: next trustdb check due at 2018-06-25

After the upgrade of the keys, the error was still there.

Then I’ve tried to manually add the missing key, searching it on the official Arch Linux master keys website.

[root@vboxarch ~]# pacman-key --recv-key 1A60DC44245D06FEF90623D6EEEEE2EEEE2EEEEE
gpg: requesting key EE2EEEEE from hkp server pool.sks-keyservers.net
gpg: key EE2EEEEE: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
==> ERROR: Remote key not fetched correctly from keyserver.

However the error does not go away.

I am then convinced that the keys database (/etc/pacman.d/gnupg) was damaged, let’s try to delete and regenerate it with the previous commands, but still no luck.

Having found the PGP/GPG key on the Bisson website, I’ve downloaded and tried to import it:

[root@vboxarch ~]# curl https://gaati.org/bisson/bisson.gpg | pacman-key -a -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20749  100 20749    0     0  19558      0  0:00:01  0:00:01 --:--:-- 19574
gpg: key EE2EEEEE: no valid user IDs
==> ERROR: A specified keyfile could not be added to the keyring.

The defect it’s not a matter of keys servers, it’s just the key to have something wrong.

The error message is always the same:

gpg: key EE2EEEEE: no valid user IDs

After a long online search the problem seems due to the fact that the key is not self-signed by the author (1 and 2) and the only solution seems to force gpg to accept the non-self-signed key:

[root@vboxarch ~]# echo "allow-non-selfsigned-uid" >> /etc/pacman.d/gnupg/gpg.conf
[root@vboxarch ~]# rm /etc/pacman.d/gnupg/*.gpg
[root@vboxarch ~]# curl https://gaati.org/bisson/bisson.gpg | pacman-key -a -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 20749  100 20749    0     0  16781      0  0:00:01  0:00:01 --:--:-- 16787
gpg: key EE2EEEEE: accepted non self-signed user ID "Gaetan Bisson <gaetan@fenua.org>"
gpg: key EE2EEEEE: accepted non self-signed user ID "Gaetan Bisson <bisson@gaati.org>"
gpg: key EE2EEEEE: accepted non self-signed user ID "Gaetan Bisson <bisson@archlinux.org>"
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   5  signed:  72  trust: 0-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  72  signed:   8  trust: 72-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2018-06-25
==> Updating trust database...
gpg: next trustdb check due at 2018-06-25

At this point I think to have solved the problem:

[root@vboxarch ~]# pacman -Su

But unfortunately the issue is always the same.

Workaround

The last chance remains to disable the package signatures verification:

Edit the pacman.conf file

[root@vboxarch ~]# nano /etc/pacman.conf

And change the line from:

SigLevel = Required DatabaseOptional

to:

SigLevel = Never

The update process will be successful, ignoring the issue with the keys.

Conclusion

After the system update is recommended to restore the SigLevel option to its default value: Required DatabaseOptional

In the case of an installation not updated after 2016-04-23 the initial ramdisk creation is strongly recommended.
Otherwise, if you have and old version of pacman without hooks support, this procedure will not be executed and the kernel will remain without the support ramdisk.

To recreate the initial ramdisk you can use the following command:

mkinitcpio -p linux

For further information: Required update to pacman-5.0.1 before 2016-04-23.