|
| 1 | +--- |
| 2 | +title: GPG verify failed |
| 3 | +summary: GHCup tried to verify the authenticity of a software channel using GPG, but failed |
| 4 | +severity: error |
| 5 | +introduced: 0.1.19.0 |
| 6 | +--- |
| 7 | + |
| 8 | +GHCup receives information about available Haskell tools through a metadata file in YAML format that describes where to find the tools. As a defense against unauthorized third parties misleading GHCup into installing malicious software, GHCup supports checking that these metadata files are signed by a trusted [GPG](https://en.wikipedia.org/wiki/GNU_Privacy_Guard) key. This error occurs when GHCup was asked to verify all downloaded YAML files via GPG. E.g. |
| 9 | + |
| 10 | +``` |
| 11 | +$ ghcup --gpg strict list |
| 12 | +[ Info ] downloading: https://raw.githubusercontent.com/haskell/ghcup-metadata/master/ghcup-0.0.7.yaml as file /home/hasufell/.ghcup/cache/ghcup-0.0.7.yaml |
| 13 | + % Total % Received % Xferd Average Speed Time Time Time Current |
| 14 | + Dload Upload Total Spent Left Speed |
| 15 | +100 286k 100 286k 0 0 2848k 0 --:--:-- --:--:-- --:--:-- 2862k |
| 16 | + % Total % Received % Xferd Average Speed Time Time Time Current |
| 17 | + Dload Upload Total Spent Left Speed |
| 18 | +100 682 100 682 0 0 11278 0 --:--:-- --:--:-- --:--:-- 11366 |
| 19 | +[ Info ] verifying signature of: /home/hasufell/.ghcup/cache/ghcup-0.0.7.yaml |
| 20 | +[ Error ] [GHCup-00210] GPG verify failed: GPG verify failed: Process "gpg" with arguments ["--batch", |
| 21 | +[ ... ] "--verify", "--quiet", |
| 22 | +[ ... ] "--no-tty", |
| 23 | +[ ... ] "/home/hasufell/.ghcup/cache/ghcup-0.0.7.yaml.sig", |
| 24 | +[ ... ] "/home/hasufell/.ghcup/cache/ghcup-0.0.7.yaml"] failed with exit code 2. |
| 25 | +``` |
| 26 | + |
| 27 | +## Troubleshooting |
| 28 | +First, make sure the remote file exists. It's name is the same as the YAML file, except it ends with `.sig`. For example: |
| 29 | + |
| 30 | +* https://raw.githubusercontent.com/haskell/ghcup-metadata/master/ghcup-0.0.7.yaml |
| 31 | +* https://raw.githubusercontent.com/haskell/ghcup-metadata/master/ghcup-0.0.7.yaml.sig |
| 32 | + |
| 33 | +Then make sure you have the required GPG public keys: https://www.haskell.org/ghcup/guide/#gpg-verification |
| 34 | + |
| 35 | +Finally, run `ghcup` with `-v` to see the exact `gpg` error, which can be used to diagnose why verification is failing. For example, if the key has not been imported, GPG will fail with the following message: |
| 36 | + |
| 37 | +``` |
| 38 | +$ ghcup -v --gpg strict list |
| 39 | +[...] |
| 40 | +[ Info ] verifying signature of: /home/hasufell/.ghcup/cache/ghcup-prereleases-0.0.7.yaml |
| 41 | +[ Debug ] gpg: Signature made Sat 26 Aug 2023 01:20:02 PM +08 |
| 42 | +[ ... ] gpg: using RSA key 7D1E8AFD1D4A16D71FADA2F2CCC85C0E40C06A8C |
| 43 | +[ ... ] gpg: issuer "[email protected]" |
| 44 | +[ ... ] gpg: Can't check signature: No public key |
| 45 | +[ ... ] |
| 46 | +[ Error ] [GHCup-00210] GPG verify failed: GPG verify failed: Process "gpg" with arguments ["--batch", |
| 47 | +[ ... ] "--verify", "--quiet", |
| 48 | +[ ... ] "--no-tty", |
| 49 | +[ ... ] "/home/hasufell/.ghcup/cache/ghcup-prereleases-0.0.7.yaml.sig", |
| 50 | +[ ... ] "/home/hasufell/.ghcup/cache/ghcup-prereleases-0.0.7.yaml"] failed with exit code 2. |
| 51 | +``` |
0 commit comments