[SOLVED] Slackpkg+ fatal errors with Ponce and SlackOnly repos

denydias · 02-28-2017, 10:36 AM

In the last weeks I'm experiencing some fatal errors when running slackpkg update. Of course, this happens only with slackpkg+ plugin for third party repositories.

The errors are:

Code:

failed: Connection refused.
failed: Network is unreachable.

                        !!! F A T A L !!!
    Repository 'slackonly' FAILS the CHECKSUMS.md5 download
    The repository may be invalid and will be SKIPPED.

The one above is for SlackOnly. This repository seems to be down as the whole slackonly.com domain fails to reply.

Code:

2017-02-28 13:21:15 URL:http://ponce.cc/slackware/slackware-current/packages/CHECKSUMS.md5.asc [801/801] -> "/dev/shm/slackpkg.7WPTJN/CHECKSUMS.md5-ponce.asc" [1]

                        !!! F A T A L !!!
    Repository 'ponce' FAILS the CHECKSUMS.md5 signature check
    The file may be corrupted or the gpg key may be not valid.
    Remember to import keys by launching 'slackpkg update gpg'.

This one looks like someone have forgotten to update GPG-KEY or signatures file. When I try to update key #36287643 (Matteo Bernardini, aka Ponce) with slackpkg update gpg, it says the key is unchanged. So I suspect it is the second case.

Is anybody out there experiencing the same with those repositories? Does anyone know what happened to these repos?

notKlaatu · 02-28-2017, 10:49 AM

I just tried with the slackonly repository and yes, I get the same error.

denydias · 04-16-2017, 12:42 PM

It has been almost two months past from the OP and Ponce repo update still fails with:

Code:

                        !!! F A T A L !!!
    Repository 'ponce' FAILS the CHECKSUMS.md5 signature check
    The file may be corrupted or the gpg key may be not valid.
    Remember to import keys by launching 'slackpkg update gpg'.

Is this just me? Is no one out there facing this apparently outdated GPG keys from Ponce repo? The current GPG key is:

Code:

pub   2048R/ED123FBC 2011-01-01
uid       [ unknown] Matteo Rossini <zerouno@slacky.it>
sub   2048R/2B41569A 2011-01-01

BTW, SlackOnly -current repo is in good shape now.

willysr · 04-16-2017, 08:21 PM

Ponce's binary repository is not intended to be used with slackpkg+
it's just a collection of binary packages he provided without any metadata used by slackpkg+

please see the supported repositories

denydias · 04-16-2017, 08:58 PM

Quote:

Originally Posted by willysr

Ponce's binary repository is not intended to be used with slackpkg+

Yup! I'm aware of that. Thank you anyway for the reminder.

Now I realize my OP wasn't clear enough. Ponce's repo once worked fine with Slackpkg+, with no GPG key error of any sort. Since the OP it's not working that way anymore, as it looks that Ponce is not updating the signatures file anymore as he used to.

I posted this here in the hope that 1) Ponce himself could see that or 2) if anyone reading this could warn him of this minor issue.

I do not expect Slacpkg+ to support Ponce's repo. What I do expect is that Ponce could make it possible to me/us (the user/users) a package file integrity verification before install it.

MadMaverick9 · 04-16-2017, 11:20 PM

Code:

bash $ wget -q "http://ponce.cc/slackware/slackware-current/packages/CHECKSUMS.md5" "http://ponce.cc/slackware/slackware-current/packages/CHECKSUMS.md5.asc"                                                                                  
bash $ gpg --verify CHECKSUMS.md5.asc 
gpg: assuming signed data in `CHECKSUMS.md5'
gpg: Signature made 2017-04-11T13:59:34 ICT using RSA key ID 02BEF947
gpg: Can't check signature: public key not found
bash $

Code:

https://pgp.mit.edu/
https://pgp.mit.edu/pks/lookup?search=0x02BEF947&op=index
https://pgp.mit.edu/pks/lookup?op=get&search=0x938817FE02BEF947

ponce · 04-16-2017, 11:21 PM

hi deny,

the last key you show it's not mine: the GPG-KEY present in the 32bit repo (the 64bit is ok) is actually an old one that got there when I reinstalled the vm where I build packages, it will be fixed soon, thanks.

Code:

$ gpg  --with-fingerprint GPG-KEY                                                                                             
pub  2048R/36287643 2010-03-11 Matteo Bernardini (Ponce) <matteo.bernardini@sns.it>
      Key fingerprint = 925F 980D A4A2 CF1B 3623  982A 1156 1A10 3628 7643
sub  2048R/D1D970E5 2010-03-11

the right one is this

Code:

$ gpg  --with-fingerprint GPG-KEY
pub  4096R/02BEF947 2010-11-28 Matteo Bernardini (ponce) <matteo.bernardini@gmail.com>
      Key fingerprint = 578D EC98 F19F FC00 D9B7  F0BC 9388 17FE 02BE F947
sub  4096R/8DF5B035 2010-11-28

sorry if I hadn't answered this before but when I read the title I ignored the topic on purpose: like Willy told you, I don't support using the repository with slackpkg+ (especially if mixed with other repositories), not because it lacks metadatas (actually they're there, generated with Alien Bob's gen_repos_files.sh), but because I don't want anybody bothering me with mini-installs and such complaining that they lack dependencies (I understand now this is not the case).
I don't have time to support the repositories, those are just the packages I use on my installations and they're given away with no warranties.

denydias · 04-17-2017, 02:24 AM

Quote:

Originally Posted by ponce

the GPG-KEY present in the 32bit repo (the 64bit is ok) is actually an old one

Aha! That was it! Thank you very much, @ponce!

I apologize on confusing you with another one, but you were wight right as I had your old key in place (2048R/36287643). Now that I updated it properly (4096R/02BEF947), all runs fine again.

Just so you know, your old key is still listed at hkps.pool.sks-keyservers.net, but the new one is not.