GPG verification enabled, but no summary signatures found
Sascha Manns
Sascha.Manns at mailbox.org
Tue Mar 14 18:37:55 UTC 2017
Hello,
Am Montag, den 13.03.2017, 09:29 -0500 schrieb Dan Nicholson:
> On Mon, Mar 13, 2017 at 2:27 AM, Alexander Larsson <alexl at redhat.com>
> wrote:
> > On Sat, 2017-03-11 at 11:18 +0100, Sascha Manns wrote:
> > > Hello list,
> > >
> > > i used
> > >
> > > sascha at sascha-desktop:~/Downloads$ flatpak remote-add gnome
> > > https://s
> > > dk.gnome.org/gnome.flatpakrepo
> > >
> > > for adding a flatpak repo. Then i used:
> > >
> > > sascha at sascha-desktop:~/Downloads$ flatpak install gnome
> > > org.gnome.Platform//3.22
> > >
> > > for installing a Platform. Sadly i'm getting:
> > >
> > > Error: GPG verification enabled, but no summary signatures found
> > > (use
> > > gpg-verify-summary=false in remote config to disable)
> > > But how to fix this?
> >
> > That is very strange. I just tried exactly these commands, and it
> > worked fine here. What version are you using?
> >
> > You can get some remote configuration info with:
> >
> > $ flatpak remote-list -d
> >
> > Otherwise there remote configuration is in
> > /var/lib/flatpak/repo/config, and additionally you should have a
> > gpg
> > keyring in /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> >
> > My config snippet is:
> >
> > [remote "gnome"]
> > gpg-verify=true
> > gpg-verify-summary=true
> > url=http://sdk.gnome.org/repo/
> > xa.title=Gnome Stable Runtimes
> >
> > And the gpg keys:
> >
> > $ ls -l /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > -rw-r--r--. 1 root root 633 13 mar 08.21
> > /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > $ sha256sum /var/lib/flatpak/repo/gnome.trustedkeys.gpg
> > 2d7ca0276c5bbc08e1ef762e39a3a88757fe93b02bc7286ddaf08c6847047a9d /
> > var/lib/flatpak/repo/gnome.trustedkeys.gpg
> >
> >
> > Does anyone else see this?
>
> We sometimes hit this at Endless in our builder. I've never debugged
> it fully, but I suspect it's the race between downloading the summary
> and the signature. One thing I do know is that all the ostree GPG
> errors end up with the same message no matter the error. So, my guess
> is that the cached signature is not the correct one and the
> verification is failing. The failure is not because there's no
> appropriate keyring, but rather because the signature does not match
> the file it's intended to sign.
>
> I'd try "sudo rm -rf /var/lib/flatpak/repo/tmp/cache/summaries" and
> then "flatpak remote-list -d" again.
I tried this out too.
Then a "flatpak install gnome-nightly org.gnome.Platform//master" gives
out the same issue. After adding a "gpg-verify-summary=false" to the
config i'm getting "sascha at sascha-desktop:/var/lib/flatpak/repo$
flatpak install gnome-nightly org.gnome.Platform//master
Fehler: Remote listing not available; server has no summary file
Mysterious...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20170314/44ae4078/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20170314/44ae4078/attachment.sig>
More information about the xdg-app
mailing list