#61219 closed defect (duplicate)
ghc @8.10.1: GPG signature verification failed
| Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | essandess (Steve Smith) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.6.3 |
| Keywords: | Cc: | chrstphrchvz (Christopher Chavez) | |
| Port: | ghc |
Description
I'm not able to get anywhere with the ghc port on my High Sierra system:
---> Verifying checksums for ghc Error: Failed to checksum ghc: GPG signature verification failed on /Users/rschmidt/macports/distfiles macports/ghc/ghc-8.10.1-x86_64-apple-darwin.tar.xz with pubkey file /Users/rschmidt/macports/macports-ports-ryandesign-fork/lang/ghc/files/keyid-97db64ad.txt.
It is unusual for ports to verify gpg signatures. Maybe it would be simpler to remove that code from the portfiles that you've added it to.
Attachments (1)
Change History (7)
Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)
| Attachment: | main.log.bz2 added |
|---|
comment:1 Changed 4 years ago by chrstphrchvz (Christopher Chavez)
comment:2 Changed 4 years ago by chrstphrchvz (Christopher Chavez)
| Cc: | chrstphrchvz added |
|---|
comment:3 Changed 4 years ago by essandess (Steve Smith)
I do not see this issue either. Here's what I see:
sudo port -dv checksum ghc … DEBUG: system: /bin/sh -c '/opt/local/bin/gpg --homedir /opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_lang_ghc/ghc/work/.gnupg --import /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/lang/ghc/files/keyid-97db64ad.txt 2>/dev/null || /usr/bin/true'
The line following this in /opt/local/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/group/gpg_verify-1.0.tcl throws an error if gpg verification fails, so gpg verification is working.
comment:4 follow-up: 6 Changed 4 years ago by essandess (Steve Smith)
Replying to ryandesign:
It is unusual for ports to verify gpg signatures. Maybe it would be simpler to remove that code from the portfiles that you've added it to.
ghc must be bootstrapped from a pre-compiled binary that comes with a gpg signature. I, for one, would like to know that this binary has been verified before I run it on my systems. The port group gpg_verify does this.
comment:5 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)
| Resolution: | → duplicate |
|---|---|
| Status: | assigned → closed |
Duplicate of #61110.
comment:6 Changed 4 years ago by chrstphrchvz (Christopher Chavez)
Replying to essandess:
I, for one, would like to know that this binary has been verified before I run it on my systems. The port group gpg_verify does this.
"Verified" is somewhat ambiguous. As far as ensuring the integrity of distfiles, that is what the existing rmd160/sha256 checksums in portfiles are for. PGP verification, being a digital signature, similarly implies computing a checksum to verify integrity.
What PGP verification can do which portfile checksums can't do is help authenticate distfiles, i.e. ensure they weren't created by a malicious party. (This assumes the private key isn't compromised, and ideally involves not blindly trusting the provided pubkey—otherwise one would argue it isn't any better than standalone checksums.)
I do not observe PGP signature verification for this port.
I've thought about writing to macports-dev to discuss the gpg_verify portgroup, so maybe that is something I will do soon.