[arch-haskell] haskell-xml-conduit-1.2.3.3-78 invalid package?
Nicola Squartini
tensor5 at gmail.com
Tue Apr 14 00:06:40 UTC 2015
You are right, I get the same output out of pacman-key.
The reason why I didn't not get the error on my system is that I only use
xml-conduit as a dependency for building [haskell-happstack] repo, and
apparently the script that does that does not check signatures.
I noticed that the "Last modified" time on xsound is different between the
file and its signature:
...
haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz 2015-04-12 19:23 752K
haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig 2015-04-12 18:43
96
...
so probably Magnus had to reupload it for some reason and forgot to sign it.
On Tue, Apr 14, 2015 at 2:26 AM, Skottish <skottish97215 at gmail.com> wrote:
> On Mon, Apr 13, 2015 at 06:37:25AM -0700, Skottish wrote:
>
>> On Mon, Apr 13, 2015 at 09:31:12AM +0100, SP wrote:
>>
>>> If you do clear the cache as Nicola suggested and you still have
>>> problems, please also tell us which mirror you are using.
>>>
>>> --
>>> SP
>>>
>>
>> There are no haskell packages in the cache and I tried with both xsounds
>> and your repo SP. There's something strange with that package on both of
>> my systems.
>>
>> After sleeping last night, I took a fresh look at this. On that one file
>> the finger print is a truncated version of the fingerprint of the other
>> haskell packages that are trying to install at the same time. So I went
>> ahead and deleted Magnus' key, ran pacman -Suy, let the key get
>> automatically verified, and pacman again fails on that one file. This is
>> what happens if run pacman-key againts it:
>>
>> pacman-key -v haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig
>>>
>> ==> Checking haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig ...
>> gpg: assuming signed data in 'haskell-xml-conduit-1.2.3.3-
>> 78-x86_64.pkg.tar.xz'
>> gpg: Signature made Sun 12 Apr 2015 11:43:13 AM PDT using DSA key ID
>> A418C0FE
>> gpg: BAD signature from "ArchHaskell (Magnus Therning) <
>> magnus at therning.org>" [unknown]
>>
>> If I do the same thing agains haskell-http-conduit, I get the full
>> output about good signature, keys, fingerprints, and all that stuff.
>>
>
> I removed xml-conduit from my system and rebuilt it and the few local
> packages that I have that needed it.
>
> _______________________________________________
> arch-haskell mailing list
> arch-haskell at haskell.org
> http://mail.haskell.org/cgi-bin/mailman/listinfo/arch-haskell
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/arch-haskell/attachments/20150414/b00f0c3b/attachment.html>
More information about the arch-haskell
mailing list