Arch Linux User Repository

This PKGBUILD verifies the authenticity of the source via PGP signatures which are not part of the Arch Linux keyring. In order to complete the process it is necessary to import the key(s) from the ‘validpgpkeys’ array into the user’s keyring before calling makepkg. There is a helpful article explaining this process by one of Arch Linux's developers located here: http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/

Instructions on importing keys from a keyserver and how to automate the retrieval process can be found in the Arch Linux wiki here: https://wiki.archlinux.org/index.php/GnuPG#Use_a_keyserver This article also contains helpful information describing the installation of GnuPG, its configuration and usage.

Execute the following to import keys using gpg:

gpg --recv-keys <KEYID - See 'validpgpkeys' array in PKGBUILD>

The PGP signature check can be skipped by passing --skippgpcheck to makepkg.

Consult the makepkg manual page for a full list of options. [https://www.archlinux.org/pacman/makepkg.8.html]

Deivorous: There are a number of variables that can prevent you from contacting the default keyserver. The default port for HKP/HKPS is sometimes blocked by strict firewalls. I would suggest attempting to fetch the key via a server the supports one of the more common ports. The default HTTP and HTTPS ports tend to be the most viable options. The following is an example using HKPS and the http over TLS/SSL port 443.

gpg --keyserver hkps://pgp.mit.edu:443 --recv-keys C52048C0C0748FEE227D47A2702353E0F7E48EDB

Here is an example using the standard hypertext transfer protocol port 80.

gpg --keyserver hkps://pgp.mit.edu:80 --recv-keys C52048C0C0748FEE227D47A2702353E0F7E48EDB

You can get more detailed output from gpg using the -vvv and --debug-all options. If neither of those work you can skip the PGP signature check by passing --skippgpcheck to makepkg as noted in the pinned post above.

Trying to import the key only resulted in 'gpg: keyserver receive failed: Connection timed out' messages. Thanks Barthalion, you're a lifesaver.

@malta, Musikolo's instructions didn't work for me, I did this instead:

gpg --recv-keys 0x702353E0F7E48EDB

@malta:

Following the instructions: - gpg --recv-keys <KEYID - See 'validpgpkeys' array in PKGBUILD>

Just issue: gpg --recv-keys C52048C0C0748FEE227D47A2702353E0F7E48EDB

It should work for you. Looks like you didn't copy the entire key.

I hope it helps.

cant get the gpg keys

gpg --recv-keys 702353E0F7E48EDB not working

anyone?

@xanc:

The following command means: gpg --recv-keys <KEYID - See 'validpgpkeys' array in PKGBUILD>

you need to run gpg --recv-keys with the KEYID that can find in link of the PKGBUILD you have above on the right side of this page. Once you do this, you'll find that such a value is C52048C0C0748FEE227D47A2702353E0F7E48EDB So, the command you need to run is: gpg --recv-keys C52048C0C0748FEE227D47A2702353E0F7E48EDB

I hope it helps.

@WoefulDerelict:

gpg --recv-keys <keyid 'validpgpkeys'="" -="" array="" in="" pkgbuild="" see=""></keyid>

does not work for me

This package does not compile with LTO. Please add these lines to PKGBUILD right before the build function:

export CFLAGS="${CFLAGS/-flto/}"

export CXXFLAGS="${CXXFLAGS/-flto/}"

export LDFLAGS="${LDFLAGS/-flto/}"

What's wrong with that package? I can't understand why some packages need it although there are already exists newer version of ncurses package in repositories.

What's the problem with pgp sign? It says, that i have already key 702353E0F7E48EDB and its not changed. But package sign not valid. It's a developer fault or mantainer?

Hey guys,

Elicacio's solution worked for me as well!

Thanks for that!