Package Details: zulucrypt 5.1.0-1

Git Clone URL: https://aur.archlinux.org/zulucrypt.git (read-only)
Package Base: zulucrypt
Description: A cli and gui frontend to cryptsetup
Upstream URL: http://mhogomchungu.github.io/zuluCrypt
Keywords: cryptsetup encryption security tcplay truecrypt veracrypt
Licenses: GPL
Conflicts: zulucrypt-git
Submitter: salan54
Maintainer: salan54
Last Packager: salan54
Votes: 49
Popularity: 0.245392
First Submitted: 2013-02-03 13:05
Last Updated: 2017-01-02 12:59

Latest Comments

mhogomchungu commented on 2017-05-17 17:31

@salan54

SiriKali[1] maintainer managed to add the signature verification step and looking at how they did it may help you in trying to add the ability here.

[1] https://aur.archlinux.org/packages/sirikali/

egrupled commented on 2017-05-17 17:20

@salan54 I have no idea, can't reproduce this. You can try to delete or rename ~/.gnupg folder and start from fresh config.

@mhogomchungu Archlinux is already pushing gpg checks whenever possible[1] so using it in AUR would be consistent. Also if you sign your releases (which is great) you can expect that someone actually verifies them :)

Anyway I thought it would be a nice feature for this PKGBUILD as zulucrypt targets people interested in additional security. Of course I'm not pushing anyone to this especially if our maintainer have issues.

[1]https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/

mhogomchungu commented on 2017-05-17 09:12


In my opinion,this checking of signature adds more security and also adds more inconvenience and i think if it is to be implemented,then it should be off by default.

checking of a hash should be enough to be sure the package is authentic.

salan54 commented on 2017-05-17 09:00

@egrupled : Sorry for the delay but I'm quite busy these days...
Anyway, that's what I got (As you can see, I already checked Francis' public key) :
[alain@rdc2010 zulucrypt]$ LC_ALL=C gpg --recv-keys 3AD67A14194FE8E7AEFCA19C3E1F380427A5D3CA
gpg: key 3E1F380427A5D3CA: "Francis Banyikwa <mhogomchungu@gmail.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
[alain@rdc2010 zulucrypt]$ LC_ALL=C makepkg
==> Making package: zulucrypt 5.1.0-2 (Wed May 17 10:54:39 CEST 2017)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found zuluCrypt-5.1.0.tar.bz2
-> Found zuluCrypt-5.1.0.tar.bz2.asc
==> Validating source files with md5sums...
zuluCrypt-5.1.0.tar.bz2 ... Passed
zuluCrypt-5.1.0.tar.bz2.asc ... Skipped
==> Validating source files with sha256sums...
zuluCrypt-5.1.0.tar.bz2 ... Passed
zuluCrypt-5.1.0.tar.bz2.asc ... Skipped
==> Verifying source file signatures with gpg...
zuluCrypt-5.1.0.tar.bz2 ... FAILED (invalid public key 3AD67A14194FE8E7AEFCA19C3E1F380427A5D3CA)
==> ERROR: One or more PGP signatures could not be verified!

I hesitate to implement pgp check in the package from fear that users face these problems... Any idea ?

egrupled commented on 2017-05-15 14:00

@salan54 thank you for reply.

You have to add relevant gpg key to your gnupg config before you can verify it.

You can do it manually by invoking command:
gpg --recv-keys --keyserver hkps://pgp.mit.edu 3AD67A14194FE8E7AEFCA19C3E1F380427A5D3CA

Or automatically by adding those lines at the end of ~/.gnupg/gpg.conf:
keyserver hkps://pgp.mit.edu
keyserver-options auto-key-retrieve

If you have another keyserver already set in config file you can replace it with the above as it's most reliable at least for me.

Now makepkg should work properly. If you decide to add PGP key to official PKGBUILD, you can pin shorter comment with above instructions so every user can see it.

BTW: You should get rid of md5sums from PKGBUILD as it's useless when sha256sums is available.

salan54 commented on 2017-05-15 09:06

@egrupled : Thanks for your suggestion. I'm new to pgp signing. I updated PKGBUILD as follow :
source="https://github.com/mhogomchungu/zuluCrypt/releases/download/${pkgver}/${_altpkgname}-${pkgver}.tar.bz2"{,.asc})
md5sums=('7ba548f4482e5d6ba361c8292b0d489e' 'SKIP')
sha256sums=('dd57be9bcee64f7f4427f4a80e31bf8796d3ad7889f6c3bd78597ff14c1ba520' 'SKIP')
changelog=${pkgname}.changelog
validpgpkeys=('3AD67A14194FE8E7AEFCA19C3E1F380427A5D3CA')

as you suggested, but I got this :

LC_ALL=C makepkg
==> Making package: zulucrypt 5.1.0-2 (Mon May 15 10:52:48 CEST 2017)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found zuluCrypt-5.1.0.tar.bz2
-> Found zuluCrypt-5.1.0.tar.bz2.asc
==> Validating source files with md5sums...
zuluCrypt-5.1.0.tar.bz2 ... Passed
zuluCrypt-5.1.0.tar.bz2.asc ... Skipped
==> Validating source files with sha256sums...
zuluCrypt-5.1.0.tar.bz2 ... Passed
zuluCrypt-5.1.0.tar.bz2.asc ... Skipped
==> Verifying source file signatures with gpg...
zuluCrypt-5.1.0.tar.bz2 ... FAILED (invalid public key 3AD67A14194FE8E7AEFCA19C3E1F380427A5D3CA)
==> ERROR: One or more PGP signatures could not be verified!

Do you have an idea why it failed ?
Thanks for your suggestion and your help,
Salan54

egrupled commented on 2017-05-14 18:43

You can add PGP check like this:

source=("https://github.com/mhogomchungu/zuluCrypt/releases/download/${pkgver}/${_altpkgname}-${pkgver}.tar.xz"{,.asc})
sha256sums=('09ee5f6322bcb66c3ffca0ae980b49c326cf8470d217fa365f7674b6daf58ae9'
'SKIP')
changelog=${pkgname}.changelog
validpgpkeys=('3AD67A14194FE8E7AEFCA19C3E1F380427A5D3CA')

mhogomchungu commented on 2017-04-25 11:00


Sorry for the noise,
an arch linux user has a problem with zuluCrypt[1] and i would appreciate a confirmation that his problem is a general problem in arch.

Would appreciate if somebody could post here or there the output of:

"zuluCrypt-cli --test"

[1] https://github.com/mhogomchungu/zuluCrypt/issues/57

salan54 commented on 2017-01-02 13:00

version 5.1.0
-- make it possible to unlock folder based encrypted volumes when running in mixed mode.
-- add ability in zuluCrypt-gui to unlock VeraCrypt volumes that use PIM value.
-- add ability in zuluCrypt-gui to unlock plain dm-crypt volumes that uses an offset.
-- add ability in zuluCrypt-gui to create plain dm-crypt volumes using user configurable crypto options.
-- add ability in zuluCrypt-gui to unlock plain dm-crypt volumes using user configurable crypto options.
-- add ability in zuluCrypt-gui to backup and restore VeraCrypt headers.
-- add ability in zuluCrypt-gui to change VeraCrypt volume key.
-- add ability in zuluCrypt-gui to create a VeraCrypt volume that uses a PIM value.
-- add ability in zuluMount-gui to unlock folder based encrypted volumes when running in mixed mode.

salan54 commented on 2016-12-03 11:56

@tinxy : you are right. Thanks for the warning.
zulucrypt.install removed.
No need to rebuild for those already running V5.02

All comments