On Mon, Apr 13, 2015 at 09:31:12AM +0100, SP wrote:

If you do clear the cache as Nicola suggested and you still have problems, please also tell us which mirror you are using.

-- SP

There are no haskell packages in the cache and I tried with both xsounds and your repo SP. There's something strange with that package on both of my systems. After sleeping last night, I took a fresh look at this. On that one file the finger print is a truncated version of the fingerprint of the other haskell packages that are trying to install at the same time. So I went ahead and deleted Magnus' key, ran pacman -Suy, let the key get automatically verified, and pacman again fails on that one file. This is what happens if run pacman-key againts it:

pacman-key -v haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig ==> Checking haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig ... gpg: assuming signed data in 'haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz' gpg: Signature made Sun 12 Apr 2015 11:43:13 AM PDT using DSA key ID A418C0FE gpg: BAD signature from "ArchHaskell (Magnus Therning) " [unknown]

If I do the same thing agains haskell-http-conduit, I get the full output about good signature, keys, fingerprints, and all that stuff.

You are right, I get the same output out of pacman-key. The reason why I didn't not get the error on my system is that I only use xml-conduit as a dependency for building [haskell-happstack] repo, and apparently the script that does that does not check signatures. I noticed that the "Last modified" time on xsound is different between the file and its signature: ... haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz 2015-04-12 19:23 752K haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig 2015-04-12 18:43 96 ... so probably Magnus had to reupload it for some reason and forgot to sign it. On Tue, Apr 14, 2015 at 2:26 AM, Skottish wrote:

On Mon, Apr 13, 2015 at 06:37:25AM -0700, Skottish wrote:

...

On Mon, Apr 13, 2015 at 09:31:12AM +0100, SP wrote:

...

If you do clear the cache as Nicola suggested and you still have problems, please also tell us which mirror you are using.

-- SP

There are no haskell packages in the cache and I tried with both xsounds and your repo SP. There's something strange with that package on both of my systems.

After sleeping last night, I took a fresh look at this. On that one file the finger print is a truncated version of the fingerprint of the other haskell packages that are trying to install at the same time. So I went ahead and deleted Magnus' key, ran pacman -Suy, let the key get automatically verified, and pacman again fails on that one file. This is what happens if run pacman-key againts it:

pacman-key -v haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig

...

==> Checking haskell-xml-conduit-1.2.3.3-78-x86_64.pkg.tar.xz.sig ... gpg: assuming signed data in 'haskell-xml-conduit-1.2.3.3- 78-x86_64.pkg.tar.xz' gpg: Signature made Sun 12 Apr 2015 11:43:13 AM PDT using DSA key ID A418C0FE gpg: BAD signature from "ArchHaskell (Magnus Therning) < magnus@therning.org>" [unknown]

If I do the same thing agains haskell-http-conduit, I get the full output about good signature, keys, fingerprints, and all that stuff.

I removed xml-conduit from my system and rebuilt it and the few local packages that I have that needed it.

_______________________________________________ arch-haskell mailing list arch-haskell@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/arch-haskell

On Tue, Apr 14, 2015 at 07:36:25AM +0200, Magnus Therning wrote:

If you put it in a ticket it'll be easier for me to remember having a look at this later on :)

/M

Done.