Local package version is newer + invalid signature key: what's happening?

Question

Local package version is newer + invalid signature key: what's happening?

Closed this issue 10 years ago · 8 comments

Hey, while trying to update today I've had those two errors:

first one with two local packages more recent than repo versions:

warning: haskell-css-text: local (0.1.2.1_0-3) is newer than haskell-core (0.1.2.1_0-2)
warning: haskell-missingh: local (1.3.0.1_0-4) is newer than haskell-core (1.3.0.1_0-2)

second (and more scary):

error: haskell-css-text: signature from "ArchHaskell (Magnus Therning) <magnus@therning.org>" is invalid
:: file /var/cache/pacman/pkg/haskell-css-text-0.1.2.1_0-2-i686.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature))
Do you want to delete? [Y/n]

Also I noticed the mailing list suddenly stopped on Tue May 12 11:57:12 UTC 2015.

Is something happening?

Answer 1 · 2015-06-04T11:25:16.000Z

I don't have full access to the repos from work so I won't be able to look into this properly until this evening. However, the signature failure most often occurs due to a download failure. Just remove the file from the cache, and re-run the installation.

The release numbers for both missingh and css-text (2) match what should be in the repo, so I'm not sure where your local versions come from. Have you been using any other repos besides haskell-core to get Haskell packages?

Answer 2 · 2015-06-06T14:36:18.000Z

Hey Magnus, thanks for your quick reply!

About the signature: indeed, after deleting the package and retrying a full system upgrade today it went smoothly. I'll be wary of this next time.

About the package versions: I use haskell-happstack besides haskell-core and that's all. I had recently reinstalled all haskell packages and GHC to workaround this issue.

What about the mailing list? Has it been simply inactive since mid-May or is something going on?

Answer 3 · 2015-06-06T20:23:10.000Z

Well, there is a risk that the packages in question come from haskell-happstack then. Do you mind checking?

If they do I'll just perform a bump and rebuild to ensure no one else runs into the same issue. I think that should fix it for you.

Answer 4 · 2015-06-06T21:32:14.000Z

I didn't find them in haskell-happstack list of packages and a query with pacman -Ss only located them in haskell-core. I really don't know where I got them from, here is the relevant output of grep "haskell-css-text" /var/log/pacman.log:

[2015-05-14 16:35] [ALPM] removed haskell-css-text (0.1.2.1-19)
[2015-05-14 17:04] [ALPM] installed haskell-css-text (0.1.2.1_0-2)
[2015-05-23 12:00] [ALPM] upgraded haskell-css-text (0.1.2.1_0-2 -> 0.1.2.1_0-3)
[2015-06-05 13:59] [ALPM] downgraded haskell-css-text (0.1.2.1_0-3 -> 0.1.2.1_0-2)

Therefore I don't think a rebuild is needed... I wonder whether my server could be compromised to be honest.

Any comment on the mailing list subject? Thanks for your support!

Answer 5 · 2015-06-07T10:31:25.000Z

I'm bumping those two packages right now. The new versions should hit the repo in a couple of hours.

Answer 6 · 2015-06-07T11:07:55.000Z

Ok... Any news on the mailing list? If I'm the only voicing concerns it might be superfluous.

Answer 7 · 2015-06-09T21:02:03.000Z

It's a rather low-traffic list, so unless you experience issues with posting I wouldn't worry about it.

Answer 8 · 2015-06-09T21:03:50.000Z

Indeed, it has already seen empty months in its history... Thank you for you sustained work and support.