| Git Clone URL: | https://aur.archlinux.org/stellarium.git (read-only, click to copy) |
|---|---|
| Package Base: | stellarium |
| Description: | Software which renders realistic skies in real time with OpenGL |
| Upstream URL: | https://stellarium.org |
| Licenses: | GPL-2.0-or-later |
| Submitter: | arojas |
| Maintainer: | carlosal1015 |
| Last Packager: | carlosal1015 |
| Votes: | 75 |
| Popularity: | 0.44 |
| First Submitted: | 2022-04-01 18:43 (UTC) |
| Last Updated: | 2025-03-30 14:51 (UTC) |
@CaliforniaCoach: I'm almost certain you have weak-digest SHA1 set somewhere in your GPG config file. I haven't changed my config file (in fact I don't have one), and I have no issue with running gpg --verify -v stellarium-23.4.tar.gz.asc.
Check the Arch Wiki for some possible locations of these files.
You shouldn't need to allow weak digest algorithms, because according to GPG documentation, "MD5 is the only digest algorithm considered weak by default."
Coming back to my problem from 2023-10-07: I am still having the same issue, makepkg still aborts with an error "One or more PGP signatures could not be verified" (yeah, I know, I could skip the check with --skippgpcheck, but it does not feel good and lowers security).
My outputs of gpg --verify ... from 2023-10-07 are still (almost) the same, sig check fails with standard options and passes with --allow-weak-digest-algos option. Using newer gpg version 2.4.3 this time, though.
I think it would be easy to fix it on your (or Alexander Wolf's) side, you (or Alexander) would just have to (cross-)sign the keys again with the proper algos (other than SHA-1), and an up-to-date gpg version. I also found this related article: https://www.gnupg.org/faq/subkey-cross-certify.html
Could you do so, please?
I am getting stuck here when compiling:
[65/934] Building CXX object plugins/Exoplanets/src/CMakeFiles/Exoplanets-static.dir/Exoplanets-static_autogen/mocs_compilation.cpp.o ninja: build stopped: subcommand failed. ==> ERROR: A failure occurred in build(). Aborting... error: failed to build 'stellarium-23.4-4': error: packages failed to build: stellarium-23.4-4
Alright, nlopt is a dependency.
stellarium wouldn't start because of missing libnlopt.so.0, so i guess it depends on nlopt package
Hi. I had to rebuild stellarium since I ran across the same startup-error as this guy: https://www.indilib.org/forum/ccds-dslrs/14096-asi-driver-crashed-with-symbol-lookup-error.html so I guess, my INDI-library also updated since the last time I successfully used stellarium. (I also rebuilt calcmysky, not sure if that was necessary.) works again. Greetings
I get :
-> Failed to install the following packages. Manual intervention is required:
stellarium - exit status 1
@carlosal1015 I tried, but same result. Note: To import the key from the key server you suggested, I had to give gpg the option "--allow-weak-digest-algos", too.
So as far as I can see, I got the right key into my local gpg database, no problem (although I had to use "--allow-weak-digest-algos" to allow SHA-1 for importing the key). But the problem is that "makepkg" still does not allow that SHA-1 signature/key and rejects the sig check.
Note: I use gpg version 2.2.41:
$ gpg --version
gpg (GnuPG) 2.2.41
libgcrypt 1.10.2-unknown
Copyright (C) 2022 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/bernd/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
If I do it with additional option "--allow-weak-digest-algos" for gpg, it works. Don't know if it is possible to somehow tell "makepkg" to allow SHA-1 accordingly?
$ gpg --verify -v --allow-weak-digest-algos stellarium-23.3.tar.gz.asc stellarium-23.3.tar.gz
gpg: enabled compatibility flags:
gpg: Signature made Mon 25 Sep 2023 03:12:04 PM CEST
gpg: using RSA key F57F309D74C9A94E2B6AA5D09380E47C0374E169
gpg: using subkey 9380E47C0374E169 instead of primary key BF38D4D02A328DFF
gpg: using subkey 9380E47C0374E169 instead of primary key BF38D4D02A328DFF
gpg: using pgp trust model
gpg: Good signature from "Alexander Wolf <alex.v.wolf@gmail.com>" [unknown]
gpg: using subkey 9380E47C0374E169 instead of primary key BF38D4D02A328DFF
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7915 1C2E 6351 E727 8DA1 A730 BF38 D4D0 2A32 8DFF
Subkey fingerprint: F57F 309D 74C9 A94E 2B6A A5D0 9380 E47C 0374 E169
gpg: binary signature, digest algorithm SHA512, key algorithm rsa1024
$ gpg --verify -v stellarium-23.3.tar.gz.asc stellarium-23.3.tar.gz
gpg: enabled compatibility flags:
gpg: Signature made Mon 25 Sep 2023 03:12:04 PM CEST
gpg: using RSA key F57F309D74C9A94E2B6AA5D09380E47C0374E169
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: using subkey 9380E47C0374E169 instead of primary key BF38D4D02A328DFF
gpg: WARNING: signing subkey 9380E47C0374E169 has an invalid cross-certification
gpg: Can't check signature: General error
Pinned Comments
carlosal1015 commented on 2022-11-01 05:22 (UTC)
Pre-built binaries of this package and its dependencies can be found in the arch4edu repository.
carlosal1015 commented on 2022-04-02 19:14 (UTC) (edited on 2022-07-07 16:46 (UTC) by carlosal1015)
Important note: Is recommended to receive the following key before to install:
Also is possible skip the verification, adding the flag for (e.g
makepkg,yay)--skippgpcheck,--nopgpfetch, respectively.