Skip to main content
Topic: Firefox Upgrade Invalid Signature (Read 549 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Firefox Upgrade Invalid Signature

Just like in the title PGP signature  of FF 113 doesn't match.  Failed to commit the transaction.

 Its not the first time in recent weeks that we're getting invalid signatures (and compromised packages?). Are we loosing the chain of trust with Artix?

Update:
THESE ARE TWO MIRROR SERVERS THAT I HAVE ON TOP:
Server = https://eu-mirror.artixlinux.org/repos/$repo/os/$arch
Server = https://artix.unixpeople.org/repos/$repo/os/$arch

Switched to one of the defaults (slow) and the transaction went through. Since I had started to notice, more and more, that some signatures don't match on updates, it would be probably wise to investigate those two mirrors. I have quite stable connection, so I wouldn't blame it on it. Also worth noting never ever this happened on the mirrors on Debian here (main security + mirrors).



Re: Firefox Upgrade Invalid Signature (Buildroot Compromised?)

Reply #1
Quote from: sonar – on
Failed to commit the transaction.

lol

Quote
Are we loosing the chain of trust with Artix?

I do not remember allowing you or anyone else to speak on my behalf.
"Wer alles kann, macht nichts richtig"

Artix USE="runit openrc slim openbox lxde gtk2 qt4 qt5 qt6 conky
-gtk3 -gtk4 -adwaita{cursors,themes,icons} -gnome3 -kde -plasma -wayland "

Re: Firefox Upgrade Invalid Signature (Buildroot Compromised?)

Reply #2
If you update infrequently you might have outdated keys, updating the packages related to keys and signature checking, especially the relevant keyring, before running the full update could help. The firefox package is in the arch repo extra, and the keys were updated recently:
archlinux-keyring 20230504-1

Re: Firefox Upgrade Invalid Signature (Buildroot Compromised?)

Reply #3
I have a script to clean and renew the keys :
It's a very short script:

rm -vfR /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate artix
pacman -S artix-keyring
pacman -S archlinux-keyring

Re: Firefox Upgrade Invalid Signature (Buildroot Compromised?)

Reply #4
If you are talking about the firefox package in world, in the mirror you suggested, the file is empty (sometimes rsync fails like this) and not corrupted/mangled with as you would have suggested https://eu-mirror.artixlinux.org/repos/world/os/x86_64/firefox-113.0.1-1-x86_64.pkg.tar.zst
Since this is a repo mirror issue and nothing related to security I've edited your post.

Re: Firefox Upgrade Invalid Signature

Reply #6
Hmm, rsync failed? Never failed on me (kio should use rsync).  And it didn't look, when pacman was downloading that nothing downloads. It would then not show progress for "zero length" file, would it? I'll switch to fast repos again. Well see. I don't do banking here.

Re: Firefox Upgrade Invalid Signature

Reply #7
Quote from: sonar – on
Hmm, rsync failed?

RTFM:

https://wiki.artixlinux.org/Main/Repositories
man pacman
man pacman.conf
man checkupdates
https://wiki.archlinux.org/title/Mirrors#Sorting_mirrors

It is recommended to repeat this reading process regularly, until enough grey matter is created in the cavity between the left and right ear to sustainably understand the update process.
"Wer alles kann, macht nichts richtig"

Artix USE="runit openrc slim openbox lxde gtk2 qt4 qt5 qt6 conky
-gtk3 -gtk4 -adwaita{cursors,themes,icons} -gnome3 -kde -plasma -wayland "

Re: Firefox Upgrade Invalid Signature

Reply #8
Quote from: devosalain – on
I have a script to clean and renew the keys :
It's a very short script:

rm -vfR /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate artix
pacman -S artix-keyring
pacman -S archlinux-keyring


1. Shouldn't it be $ pacman -Sy gnupg artix-keyring ?
2. $ "pacman -Ss archlinux-keyring" returns nothing, no such package because its moved to UNIVERSE
2a) yet another AUR (aka UNIVERSE) may mess up main packages (libreoffice, liborcus, etc)

 

Re: Firefox Upgrade Invalid Signature

Reply #9
Artix Universe won't mess up anything, I could try to explain to you why and after what discussion with the arch devs that became needed for the arch support-systemd stubs-etc, but I won't bother. And libreoffice was a separate issue.

Look up the complete mess that is the Chaotic-AUR repo for instance if you want "yet another AUR". Keep mocking like that and you won't last long here.

///
To refresh the keys most of the time you just need run pacman-key --refresh-keys.
The guy probably meant a full reinitialization of keys where he's also using archlinux-support (most of us do).