错误：无法验证一个或多个 PGP 签名，arch linux

Question

我最近切换到基于 Arch 的发行版，称为Manjaro。

我在从aur arch 存储库安装一些软件包时遇到问题

    curl-7.54.0.tar.gz ... Passed
    curl-7.54.0.tar.gz.asc ... Skipped
==> Verifying source file signatures with gpg...
    curl-7.54.0.tar.gz ... FAILED (unknown public key 5CC908FDB71E12C2)
==> ERROR: One or more PGP signatures could not be verified!

我需要做什么来解决这个问题？

Answer 1

拥有本地 gpg 密钥对后，您可以将未知密钥导入本地用户的密钥集。在我的情况下，5CC908FDB71E12C2需要按如下方式导入密钥。

$ gpg --recv-keys 5CC908FDB71E12C2
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys
gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created
gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <daniel@haxx.se>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

--recv-keys 密钥 ID：从密钥服务器导入具有给定密钥 ID 的密钥。

如果上述操作失败，您可能需要生成本地 gpg 密钥库/数据库。

下面的步骤可能不再需要，因为上面的步骤现在为您创建了一个本地密钥数据库。这取决于您的发行版和gpg版本以及配置。

如果您gpg的本地用户还没有密钥数据库。

gpg --generate-key 

或者

gpg --full-gen-key 

文档怎么说。

   --generate-key
   --gen-key
          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the
          ‘openpgp-revocs.d’ directory below the GnuPG home directory.

   --full-generate-key
   --full-gen-key
          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.

          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.