GPG verification enabled, but no summary signatures found

Alexander Larsson alexl at redhat.com
Mon Mar 13 14:30:59 UTC 2017 

On Mon, 2017-03-13 at 09:29 -0500, Dan Nicholson wrote:
> On Mon, Mar 13, 2017 at 2:27 AM, Alexander Larsson <alexl at redhat.com>
> wrote:
> > On Sat, 2017-03-11 at 11:18 +0100, Sascha Manns wrote:
> > > Hello list,
> > > 
> > > i used
> > > 
> > > sascha at sascha-desktop:~/Downloads$ flatpak remote-add gnome
> > > https://s
> > > dk.gnome.org/gnome.flatpakrepo
> > > 
> > > for adding a flatpak repo. Then i used:
> > > 
> > > sascha at sascha-desktop:~/Downloads$ flatpak install gnome
> > > org.gnome.Platform//3.22
> > > 
> > > for installing a Platform. Sadly i'm getting:
> > > 
> > > Error: GPG verification enabled, but no summary signatures found
> > > (use
> > > gpg-verify-summary=false in remote config to disable)
> > > But how to fix this?
> > 
> > That is very strange. I just tried exactly these commands, and it
> > worked fine here. What version are you using?
> > 
> > You can get some remote configuration info with:
> > 
> > $ flatpak remote-list -d
> > 
> > Otherwise there remote configuration is in
> > /var/lib/flatpak/repo/config, and additionally you should have a
> > gpg
> > keyring in /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > 
> > My config snippet is:
> > 
> > [remote "gnome"]
> > gpg-verify=true
> > gpg-verify-summary=true
> > url=http://sdk.gnome.org/repo/
> > xa.title=Gnome Stable Runtimes
> > 
> > And the gpg keys:
> > 
> > $ ls -l /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > -rw-r--r--. 1 root root 633 13 mar 08.21
> > /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > $ sha256sum /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > 2d7ca0276c5bbc08e1ef762e39a3a88757fe93b02bc7286ddaf08c6847047a9d  /
> > var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > 
> > 
> > Does anyone else see this?
> 
> We sometimes hit this at Endless in our builder. I've never debugged
> it fully, but I suspect it's the race between downloading the summary
> and the signature. One thing I do know is that all the ostree GPG
> errors end up with the same message no matter the error. So, my guess
> is that the cached signature is not the correct one and the
> verification is failing. The failure is not because there's no
> appropriate keyring, but rather because the signature does not match
> the file it's intended to sign.
> 
> I'd try "sudo rm -rf /var/lib/flatpak/repo/tmp/cache/summaries" and
> then "flatpak remote-list -d" again.

Maybe we should always delete any cached summary if it didn't verify.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl at redhat.com            alexander.larsson at gmail.com 
He's an ungodly gay waffle chef on a search for his missing sister. She's 
a strong-willed African-American lawyer fleeing from a Satanic cult. They 
fight crime!

More information about the xdg-app mailing list