Update MSYS2 base

[elieux]

Hey, this is the future packager for MSYS2. I uploaded a new database recently and reverted it after a few hours due to reports of issues. I even received one issue from a concerned vcpkg user. Due to a bunch of stuff coming together, we don't see a way to make the upgrade path work cleanly for old installations (from an old installer or just not upgraded for a while). Therefore I suggest that vcpkg switch to the current MSYS2 installer which should have the correct keyring. How realistic is this for you?

[notifying @lazka]

[elieux]

The vcpkg log:

-- Acquiring MSYS2...
-- Downloading https://sourceforge.net/projects/msys2/files/Base/x86_64/msys2-base-x86_64-20190524.tar.xz/download...
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key 69A4A79979944FCF marked as ultimately trusted
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/5EECEBF3DABCBC4C358437EE69A4A79979944FCF.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
==> Appending keys from msys2.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key D55E7A6D7CE9BA1587C0ACACF40D263ECA25678A...
  -> Locally signing key 123D4D51A1793859C2BE916BBBE514E53E0D0813...
  -> Locally signing key B91BCF3303284BF90CC043CA9F418C233E652008...
  -> Locally signing key 9DD0D4217D75A33B896159E6DA7EF2ABAEEA755C...
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   4  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   4  signed:   3  trust: 0-, 0q, 0n, 4m, 0f, 0u
gpg: depth: 2  valid:   3  signed:   0  trust: 3-, 0q, 0n, 0m, 0f, 0u
:: Synchronizing package databases...
downloading mingw32.db...
downloading mingw32.db.sig...
error: mingw32: key "4A6129F4E4B84AE46ED7F635628F528CF3053E04" is unknown
:: Import PGP key 4096R/87771331B3F1FF5263856A6D974C8BE49078F532, "David Macek <[email protected]>", created: 2018-01-14? [Y/n] error: mingw32: signature from "David Macek <[email protected]>" is marginal trust
error: failed to update mingw32 (invalid or corrupted database (PGP signature))

downloading mingw64.db...
downloading mingw64.db.sig...
error: mingw64: signature from "David Macek <[email protected]>" is marginal trust
error: failed to update mingw64 (invalid or corrupted database (PGP signature))
downloading msys.db...
downloading msys.db.sig...
error: msys: signature from "David Macek <[email protected]>" is marginal trust
error: failed to update msys (invalid or corrupted database (PGP signature))
error: failed to synchronize all databases
error: mingw32: signature from "David Macek <[email protected]>" is marginal trust
error: mingw64: signature from "David Macek <[email protected]>" is marginal trust
error: msys: signature from "David Macek <[email protected]>" is marginal trust
checking dependencies...

Packages (2) rebase-4.4.4-1  dash-0.5.10.2-1

Total Removed Size:  1.12 MiB

:: Do you want to remove these packages? [Y/n]
:: Processing package changes...
removing rebase...
removing dash...
error: mingw32: signature from "David Macek <[email protected]>" is marginal trust
error: mingw64: signature from "David Macek <[email protected]>" is marginal trust
error: msys: signature from "David Macek <[email protected]>" is marginal trust
:: Synchronizing package databases...
downloading mingw32.db...
downloading mingw32.db.sig...
error: mingw32: signature from "David Macek <[email protected]>" is marginal trust
error: failed to update mingw32 (invalid or corrupted database (PGP signature))
downloading mingw64.db...
downloading mingw64.db.sig...
error: mingw64: signature from "David Macek <[email protected]>" is marginal trust
error: failed to update mingw64 (invalid or corrupted database (PGP signature))
downloading msys.db...
downloading msys.db.sig...
error: msys: signature from "David Macek <[email protected]>" is marginal trust
error: failed to update msys (invalid or corrupted database (PGP signature))
error: failed to synchronize all databases
-- Acquiring MSYS2... OK
-- Acquiring MSYS Packages...
CMake Error at scripts/cmake/vcpkg_execute_required_process.cmake:72 (message):
    Command failed: C:/vcpkg/downloads/tools/msys2/msys64/usr/bin/bash.exe --noprofile --norc -c "pacman -S --noconfirm --needed make automake1.15"
    Working Directory: C:/vcpkg/downloads/tools/msys2
    Error code: 1
    See logs for more information:
     C:\vcpkg\buildtrees\icu\msys-pacman-x64-windows-err.log

Call Stack (most recent call first):
  scripts/cmake/vcpkg_acquire_msys.cmake:127 (vcpkg_execute_required_process)
  ports/icu/portfile.cmake:80 (vcpkg_acquire_msys)
  scripts/ports.cmake:76 (include)

[elieux]

@FuckYou2Bill, what?

[elieux]

@emptyVoid might be interested as well.

[emptyVoid]

@elieux, as far as I understand MSYS2 dropped i686 installer since 2020-05-22, whereas vcpkg still supports x86 host platforms. That's kind of a blocker for updating MSYS2 version used by vcpkg.

[elieux]

How big of an issue is to keep that older x86 version and update the x64 version?

[emptyVoid]

I don't think it's a good idea, since it would potentially require different installation scripts as the versions diverge further from each other. Moreover wouldn't your above-mentioned changes break x86 version?

[elieux]

They don't until we decide to also build an msys-i686 package, which we currently don't plan to. But if you prefer to keep the versions in sync, would you be willing to adapt the installation script to update the keyring first? I'll be writing down the exact steps soon for our "manual intervention needed" section.

[emptyVoid]

But if you prefer to keep the versions in sync, would you be willing to adapt the installation script to update the keyring first?

Sure.

BTW, shouldn't pacman-key --init; pacman-key --populate take care of the official keys?

[elieux]

It would, if we hadn't also added new master keys. We couldn't get all the original master key holders. The previous packager also quit somewhat abruptly, so now it's either stall or break.

(There's an option to update the msys-i686 packages and installers one last time, which would allow vcpkg to update to the newer installers, but it would immediately break all the older 32-bit installations.)

[elieux]

Instructions are up: https://www.msys2.org/news/#2020-06-29-new-packagers

[emptyVoid]

@elieux, I followed the instruction you mention, and it gives me an error message:

==> ERROR: The signature identified by D:/Projects/GitHub/vcpkg/downloads/msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz could not be verified.

[elieux]

@emptyVoid, did it say anything else?

My output:

$ pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz{.sig,}
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig... (detached)
gpg: Signature made Mon Jun 29 07:36:14 2020 CEST
gpg:                using DSA key AD351C50AE085775EB59333B5F92EFC1A47D45A1
gpg: Note: trustdb not writable
gpg: Good signature from "Alexey Pavlov (Alexpux) <[email protected]>" [full]

Swapped arguments:

$ pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz{,.sig}
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz... (detached)
gpg: [don't know]: invalid packet (ctb=3f)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
==> ERROR: The signature identified by msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz could not be verified.

Broken signature file:

$ pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz{.sig,}
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig... (detached)
gpg: mpi too large (19456 bits)
gpg: mpi too large (65059 bits)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
==> ERROR: The signature identified by msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig could not be verified.

[emptyVoid]

@elieux, here's an output using fresh msys2-base-x86_64-20190524.tar.xz:

D:\Downloads>.\msys64\usr\bin\bash.exe --noprofile --norc -c "PATH=/usr/bin;pacman-key --init;pacman-key --populate"
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key B6CACBD9B16AE8B1 marked as ultimately trusted
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/9E3F525FEA5D7EB851491049B6CACBD9B16AE8B1.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
==> Appending keys from msys2.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signing key D55E7A6D7CE9BA1587C0ACACF40D263ECA25678A...
  -> Locally signing key 123D4D51A1793859C2BE916BBBE514E53E0D0813...
  -> Locally signing key B91BCF3303284BF90CC043CA9F418C233E652008...
  -> Locally signing key 9DD0D4217D75A33B896159E6DA7EF2ABAEEA755C...
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   4  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   4  signed:   3  trust: 0-, 0q, 0n, 4m, 0f, 0u
gpg: depth: 2  valid:   3  signed:   0  trust: 3-, 0q, 0n, 0m, 0f, 0u

D:\Downloads>.\msys64\usr\bin\bash.exe --noprofile --norc -c "PATH=/usr/bin;pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz{.sig,}"
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig...
gpg: assuming signed data in 'msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz'
gpg: Signature made Mon Jun 29 08:36:14 2020 RTZST
gpg:                using DSA key AD351C50AE085775EB59333B5F92EFC1A47D45A1
gpg: Good signature from "Alexey Pavlov (Alexpux) <[email protected]>" [full]
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz...
gpg: [don't know]: invalid packet (ctb=3f)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
==> ERROR: The signature identified by msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz could not be verified.

Swapped arguments:

D:\Downloads>.\msys64\usr\bin\bash.exe --noprofile --norc -c "PATH=/usr/bin;pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz{,.sig}"
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz...
gpg: [don't know]: invalid packet (ctb=3f)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
==> ERROR: The signature identified by msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz could not be verified.
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig...
gpg: assuming signed data in 'msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz'
gpg: Signature made Mon Jun 29 08:36:14 2020 RTZST
gpg:                using DSA key AD351C50AE085775EB59333B5F92EFC1A47D45A1
gpg: Good signature from "Alexey Pavlov (Alexpux) <[email protected]>" [full]

Explicit arguments:

D:\Downloads>.\msys64\usr\bin\bash.exe --noprofile --norc -c "PATH=/usr/bin;pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz"
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig...
gpg: assuming signed data in 'msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz'
gpg: Signature made Mon Jun 29 08:36:14 2020 RTZST
gpg:                using DSA key AD351C50AE085775EB59333B5F92EFC1A47D45A1
gpg: Good signature from "Alexey Pavlov (Alexpux) <[email protected]>" [full]
==> Checking msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz...
gpg: [don't know]: invalid packet (ctb=3f)
gpg: no signature found
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
==> ERROR: The signature identified by msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz could not be verified.

[elieux]

Oh. For some reason, pacman-key seems to interpret both arguments as detached signatures. Just pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig should work then. I wonder if pacman-key from 2019-05-24 just doesn't support the explicit syntax, or there's something else at play. I would try it myself in a local setup, but I'm on a metered connection.

These are my current versions:

$ pacman-key --version
pacman-key (pacman) 5.2.1
[...]

$ gpg --version
gpg (GnuPG) 2.2.20-unknown
[...]

[emptyVoid]

Versions from msys2-base-x86_64-20190524.tar.xz:

D:\Downloads>.\msys64\usr\bin\bash.exe --noprofile --norc -c "PATH=/usr/bin;pacman-key --version"
pacman-key (pacman) 5.1.3
...

D:\Downloads>.\msys64\usr\bin\bash.exe --noprofile --norc -c "PATH=/usr/bin;gpg --version"
gpg (GnuPG) 2.2.15-unknown
...

Yeah, pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig works as long as the package is located in the same directory.