[HowTo] Verify signatures

[xiota]

Import good keys:

locate chaotic-trusted

for i in $(locate chaotic-trusted) ; do
  sha256sum "$i"
done

for i in $(cut -d: -f1 $(locate chaotic-trusted | head -1)) ; do
  gpg  --keyserver keyserver.ubuntu.com --recv-key "$i"
done

Remove bad keys:

locate chaotic-revoked

for i in $(locate chaotic-revoked) ; do
  sha256sum "$i"
done

for i in $(cut -d: -f1 $(locate chaotic-revoked | head -1)) ; do
  gpg --delete-keys --fingerprint "$i"
done

Find packages with missing signatures:

cd /srv/http/repos/chaotic-aur/x86_64

for i in *.pkg.tar.{zst,gz,xz} ; do
  [ -e "$i" ] && if [ -e "$i.sig" ] ; then
    :
  else
    
    echo "Missing: $i" | sed -E 's&-([^-]+-[0-9\.]+)-(x86_64|any)\.pkg\.tar\..*$& \1&'
  fi
done

Verify signed packages:

cd /srv/http/repos/chaotic-aur/x86_64

for i in *.sig ; do
  if gpg --verify "$i" 2> /dev/null ; then
    :
  else
    echo "Failed: $i" | sed -E 's&-([^-]+-[0-9\.]+)-(x86_64|any)\.pkg\.tar\..*$& \1&'
  fi
done

[dr460nf1r3]

This is pretty great! We might set up a job to automate this (if there is a root cause, fixing this one would be a thing I guess :P) !

[xiota]

I wonder why the sigs are bad sometimes. After rebuild, several were still bad and had to be built again.

73 packages bumped and rebuilt. 1 package cannot be rebuilt, and has been dropped (ion-git).

[PedroHLC]

If said package never had a good signature, it's not necessary to bump it.

[dr460nf1r3]

I wonder why the sigs are bad sometimes. After rebuild, several were still bad and had to be built again.

I thought this was attributed to the deployment from nodes for a while, but packages on the main builder are also affected so it can't be that. Might implement this check right after the package got deployed to the database, redeploying/issuing a notification in case the sig is broken?

[xiota]

I haven't looked at the code, but based on toolbox commands that are available, seems there's a step where the sigs are created (chaotic deploy) and a step, where the database is updated (chaotic dbb). If you check the sigs right after deploy, you could try again if they fail.

[PedroHLC]

If you can, please open a PR adding these to a "snippets" folder. No need to make any file name "shorter", make them as verbose as you can.

[PedroHLC]

Actually, maybe we should merge this repo with https://github.com/chaotic-aur/maintainer-utils

[Technetium1]

@PedroHLC wow didn't know that repo existed! I think it should definitely be merged with this

[xiota]

Should the maintainer utils scripts be moved here to notes?

[PedroHLC]

Should the maintainer utils scripts be moved here to notes?

Yeah, but let me do it.