How to decide whether or not to add keys

howdy,

I have two updates waiting for me :

lib++
lib++abi

I get this message :

==> Validating source files with sha512sums...
llvm-6.0.0.src.tar.xz ... Passed
llvm-6.0.0.src.tar.xz.sig ... Skipped
libcxx-6.0.0.src.tar.xz ... Passed
libcxx-6.0.0.src.tar.xz.sig ... Skipped
libcxxabi-6.0.0.src.tar.xz ... Passed
libcxxabi-6.0.0.src.tar.xz.sig ... Skipped
==> Verifying source file signatures with gpg...
llvm-6.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxx-6.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxxabi-6.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
==> ERROR: One or more PGP signatures could not be verified!

Is it safe to import these keys? And what is the correct way to find out about this kind of thing? I don't really need much on my computer, mainly programs for art and modeling but I'm always a bit weary of AUR.

Why do you have them?
pacman -Qi lib++
pacman -Qi lib++abi

You can search a key with:
gpg --search-keys KEYHERE

gpg --search-keys 0FC3042E345AD05D

gpg: data source: https://192.94.109.73:443
(1)     Hans Wennborg <hans@chromium.org>
          4096 bit RSA key 0FC3042E345AD05D, created: 2015-01-20, expires: 2023-01-15

But I cant seem to locate those packages...

not sure why i have them to be honest. I've never added anything manually, only dependencies from the odd program ive downloaded

Well, they dont seem to be in the aur.. anyways whats the output of the pacman -Qi commands above?

...Do you mean libc++ ?

If so then it is in aur, and the command would be
pacman -Qi libc++

wow that pacman -Qi gave me a super wall of text too big to post.

Yes you're right. It's libc++ and libc++abi

and when I try to update them, that's when i get the errors

"llvm-6.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxx-6.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxxabi-6.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)"

ive added keys before, but for some reason i stopped now and thought "how do i know if this is safe?"

Im sure libc++ are safe, im just curious

How is it too big, it should look like this:

trizen -Si libc++

Repository      : AUR
Name            : libc++
Version         : 6.0.0-1
Maintainer      : WoefulDerelict
URL             : https://libcxx.llvm.org/
AUR URL         : https://aur.archlinux.org/packages.php?ID=496176
License         : MIT
                  custom:University of Illinois/NCSA Open Source License
Votes           : 123
Popularity      : 16%
Installed       : No
Out Of Date     : No
Depends On      : libc++abi=6.0.0-1
Make Deps       : clang
                  cmake
                  ninja
                  python
                  libunwind
Check Deps      : None
Optional Deps   : None
Provides        : None
Conflicts With  : None
Replaces        : None
Package Base    : libc++
Last Update     : Tue Mar 20 21:20:57 2018
Description     : LLVM C++ standard library.

because initially i just did "pacman -Qi" lol

here it is

pacman -Qi libc++
Name : libc++
Version : 5.0.1-1
Description : A new implementation of the C++ standard library, targeting
C++11.
Architecture : x86_64
URL : http://libcxx.llvm.org/
Licenses : MIT custom:University of Illinois/NCSA Open Source License
Groups : None
Provides : None
Depends On : libc++abi=5.0.1-1
Optional Deps : None
Required By : discord
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 4.84 MiB
Packager : Unknown Packager
Build Date : Sun 04 Mar 2018 02:31:08 GMT
Install Date : Sun 04 Mar 2018 02:31:18 GMT
Install Reason : Installed as a dependency for another package
Install Script : No
Validated By : None

Theres your answer. Discord depends on it. Thats why you have it.

Now, you can combine that knowledge with what we saw on the gpg key to make up your own mind how you feel about it. Also take into consideration the pkgbuild. You can review this online or by using arguments in your aur helper to inspect or edit it.

ahhh discord, yeah that's one i installed recently

thank you for your help, i never knew about the Qi command

And for packages not installed:
pacman -Si PACKAGE

So now the package doesnt look too weird, right? Remember to look at the pkgbuild if you want to actually know what you're installing and what its doing.

Now remember we looked up the key?

Now if you want to get that key use

gpg --recv-keys 0FC3042E345AD05D

and go back to installing again.

1 Like

doing it now, many thanks. although it's taking it's sweet time....

says -- Testing: 5874 tests, 12 threads -- then just counts up in increments of 10 and repeats

What does, the key? That should be just about instant.
Installation of a package?

yeah the installation

building libc++...

...nevermind, its done...wohoo

Yes, building can take some time :wink:

And I'll leave you with more than you need about gpg:
https://wiki.archlinux.org/index.php/GPG

1 Like

many thanks for your help :slight_smile:

No problem.
Oh look, its a little penguin > :penguin:

See

:wink:

... but should we really tell people to automatically accept ?
I'm technically all for the knowledge and the option.. but.. it makes me feel uncomfortable.
I guess I'll just say I dont generally recommend it.

Forum kindly sponsored by