GPG verification enabled, but no summary signatures found
Dan Nicholson
nicholson at endlessm.com
Mon Mar 13 14:29:34 UTC 2017
On Mon, Mar 13, 2017 at 2:27 AM, Alexander Larsson <alexl at redhat.com> wrote:
> On Sat, 2017-03-11 at 11:18 +0100, Sascha Manns wrote:
>> Hello list,
>>
>> i used
>>
>> sascha at sascha-desktop:~/Downloads$ flatpak remote-add gnome https://s
>> dk.gnome.org/gnome.flatpakrepo
>>
>> for adding a flatpak repo. Then i used:
>>
>> sascha at sascha-desktop:~/Downloads$ flatpak install gnome
>> org.gnome.Platform//3.22
>>
>> for installing a Platform. Sadly i'm getting:
>>
>> Error: GPG verification enabled, but no summary signatures found (use
>> gpg-verify-summary=false in remote config to disable)
>> But how to fix this?
>
> That is very strange. I just tried exactly these commands, and it
> worked fine here. What version are you using?
>
> You can get some remote configuration info with:
>
> $ flatpak remote-list -d
>
> Otherwise there remote configuration is in
> /var/lib/flatpak/repo/config, and additionally you should have a gpg
> keyring in /var/lib/flatpak/repo/gnome.trustedkeys.gpg
>
> My config snippet is:
>
> [remote "gnome"]
> gpg-verify=true
> gpg-verify-summary=true
> url=http://sdk.gnome.org/repo/
> xa.title=Gnome Stable Runtimes
>
> And the gpg keys:
>
> $ ls -l /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> -rw-r--r--. 1 root root 633 13 mar 08.21 /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> $ sha256sum /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> 2d7ca0276c5bbc08e1ef762e39a3a88757fe93b02bc7286ddaf08c6847047a9d /var/lib/flatpak/repo/gnome.trustedkeys.gpg
>
>
> Does anyone else see this?
We sometimes hit this at Endless in our builder. I've never debugged
it fully, but I suspect it's the race between downloading the summary
and the signature. One thing I do know is that all the ostree GPG
errors end up with the same message no matter the error. So, my guess
is that the cached signature is not the correct one and the
verification is failing. The failure is not because there's no
appropriate keyring, but rather because the signature does not match
the file it's intended to sign.
I'd try "sudo rm -rf /var/lib/flatpak/repo/tmp/cache/summaries" and
then "flatpak remote-list -d" again.
--
Dan
More information about the xdg-app
mailing list