On 12/03/2016 03:41 PM, Xyne wrote: > Hi, > > There is a seemingly unending trickle of user comments on the AUR seeking > advice about key verification errors when building packages. The error message > in question is > > <pkgname> ... FAILED (unknown public key ...) > ==> ERROR: One or more PGP signatures could not be verified! > > Would you consider changing this message to make it clear to the user that > they > key is not in the *user's* keyring? Maybe something like (key ... not found in > user's keyring: you may need to import it). > > The current message seems to leave a lot of users thinking that the key and > signature are shady and untrusted.
Doesn't "unknown public key" already imply that? makepkg already provides information on the *reason* it failed. "Unknown" is very different from "we have the key you need, and this signature doesn't match"... we provide that warning later on, as "bad signature". Are there a lot of people who think that PGP/gpg just magically knows every key that "people" trust, or something? What do they think "trust" means, anyway? https://git.archlinux.org/pacman.git/tree/scripts/libmakepkg/integrity/verify_signature.sh.in#n96 > p.s. I still hope that you will re-introduce the --pkg option or an > alternative to selectively install split packages with "-i". (Building them > all > makes sense. Giving no option but to install them all, not so much.) I can > provide a package for this as I keep a working patched version of makepkg for > this purpose (and provide it in a package for others). I would like this feature. `--pkg` could be a no-op without `-i`. But maybe it deserves its own thread? -- Eli Schwartz
