LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackpkg+ fatal errors with Ponce and SlackOnly repos (https://www.linuxquestions.org/questions/slackware-14/slackpkg-fatal-errors-with-ponce-and-slackonly-repos-4175600775/)

denydias 02-28-2017 10:36 AM

Slackpkg+ fatal errors with Ponce and SlackOnly repos
 
In the last weeks I'm experiencing some fatal errors when running slackpkg update. Of course, this happens only with slackpkg+ plugin for third party repositories.

The errors are:

Code:

failed: Connection refused.
failed: Network is unreachable.

                        !!! F A T A L !!!
    Repository 'slackonly' FAILS the CHECKSUMS.md5 download
    The repository may be invalid and will be SKIPPED.

The one above is for SlackOnly. This repository seems to be down as the whole slackonly.com domain fails to reply.

Code:

2017-02-28 13:21:15 URL:http://ponce.cc/slackware/slackware-current/packages/CHECKSUMS.md5.asc [801/801] -> "/dev/shm/slackpkg.7WPTJN/CHECKSUMS.md5-ponce.asc" [1]

                        !!! F A T A L !!!
    Repository 'ponce' FAILS the CHECKSUMS.md5 signature check
    The file may be corrupted or the gpg key may be not valid.
    Remember to import keys by launching 'slackpkg update gpg'.

This one looks like someone have forgotten to update GPG-KEY or signatures file. When I try to update key #36287643 (Matteo Bernardini, aka Ponce) with slackpkg update gpg, it says the key is unchanged. So I suspect it is the second case.

Is anybody out there experiencing the same with those repositories? Does anyone know what happened to these repos?

notKlaatu 02-28-2017 10:49 AM

I just tried with the slackonly repository and yes, I get the same error.

denydias 04-16-2017 12:42 PM

It has been almost two months past from the OP and Ponce repo update still fails with:

Code:

                        !!! F A T A L !!!
    Repository 'ponce' FAILS the CHECKSUMS.md5 signature check
    The file may be corrupted or the gpg key may be not valid.
    Remember to import keys by launching 'slackpkg update gpg'.

Is this just me? Is no one out there facing this apparently outdated GPG keys from Ponce repo? The current GPG key is:

Code:

pub  2048R/ED123FBC 2011-01-01
uid      [ unknown] Matteo Rossini <zerouno@slacky.it>
sub  2048R/2B41569A 2011-01-01

BTW, SlackOnly -current repo is in good shape now.

willysr 04-16-2017 08:21 PM

Ponce's binary repository is not intended to be used with slackpkg+
it's just a collection of binary packages he provided without any metadata used by slackpkg+

please see the supported repositories

denydias 04-16-2017 08:58 PM

Quote:

Originally Posted by willysr (Post 5697866)
Ponce's binary repository is not intended to be used with slackpkg+

Yup! I'm aware of that. Thank you anyway for the reminder.

Now I realize my OP wasn't clear enough. Ponce's repo once worked fine with Slackpkg+, with no GPG key error of any sort. Since the OP it's not working that way anymore, as it looks that Ponce is not updating the signatures file anymore as he used to.

I posted this here in the hope that 1) Ponce himself could see that or 2) if anyone reading this could warn him of this minor issue.

I do not expect Slacpkg+ to support Ponce's repo. What I do expect is that Ponce could make it possible to me/us (the user/users) a package file integrity verification before install it.

MadMaverick9 04-16-2017 11:20 PM

Code:

bash $ wget -q "http://ponce.cc/slackware/slackware-current/packages/CHECKSUMS.md5" "http://ponce.cc/slackware/slackware-current/packages/CHECKSUMS.md5.asc"                                                                                 
bash $ gpg --verify CHECKSUMS.md5.asc
gpg: assuming signed data in `CHECKSUMS.md5'
gpg: Signature made 2017-04-11T13:59:34 ICT using RSA key ID 02BEF947
gpg: Can't check signature: public key not found
bash $

Code:

https://pgp.mit.edu/
https://pgp.mit.edu/pks/lookup?search=0x02BEF947&op=index
https://pgp.mit.edu/pks/lookup?op=get&search=0x938817FE02BEF947


ponce 04-16-2017 11:21 PM

hi deny,

the last key you show it's not mine: the GPG-KEY present in the 32bit repo (the 64bit is ok) is actually an old one that got there when I reinstalled the vm where I build packages, it will be fixed soon, thanks.
Code:

$ gpg  --with-fingerprint GPG-KEY                                                                                           
pub  2048R/36287643 2010-03-11 Matteo Bernardini (Ponce) <matteo.bernardini@sns.it>
      Key fingerprint = 925F 980D A4A2 CF1B 3623  982A 1156 1A10 3628 7643
sub  2048R/D1D970E5 2010-03-11

the right one is this
Code:

$ gpg  --with-fingerprint GPG-KEY
pub  4096R/02BEF947 2010-11-28 Matteo Bernardini (ponce) <matteo.bernardini@gmail.com>
      Key fingerprint = 578D EC98 F19F FC00 D9B7  F0BC 9388 17FE 02BE F947
sub  4096R/8DF5B035 2010-11-28

sorry if I hadn't answered this before but when I read the title I ignored the topic on purpose: like Willy told you, I don't support using the repository with slackpkg+ (especially if mixed with other repositories), not because it lacks metadatas (actually they're there, generated with Alien Bob's gen_repos_files.sh), but because I don't want anybody bothering me with mini-installs and such complaining that they lack dependencies (I understand now this is not the case).
I don't have time to support the repositories, those are just the packages I use on my installations and they're given away with no warranties.

denydias 04-17-2017 02:24 AM

Quote:

Originally Posted by ponce (Post 5697904)
the GPG-KEY present in the 32bit repo (the 64bit is ok) is actually an old one

Aha! That was it! Thank you very much, @ponce!

I apologize on confusing you with another one, but you were wight right as I had your old key in place (2048R/36287643). Now that I updated it properly (4096R/02BEF947), all runs fine again.

Just so you know, your old key is still listed at hkps.pool.sks-keyservers.net, but the new one is not.


All times are GMT -5. The time now is 06:20 AM.