Pakfire won't work

Hi all! I’ve recently installed and deployed an IPFire instance to protect a small sized LAN. Everything is working correctly, as far as I can see. After a while however I tried to add some plugins and found that pakfire isn’t working at all. I’m able to ping the server and to download packages (so no DNS or ntpdate issues) but pakfire itself is unable to work as apparently the installation is incomplete. This is the output of a pakfire status command:

[root@firewall pakfire]# ./pakfire status
grep: /opt/pakfire/db/lists/core-list.db: No such file or directory
Core-Version: 2.29-x86_64
Core-Update-Level: 189
Last update: 96d 1h 31m 38s ago
Last core-list update: 20104d 11h 32m 14s ago
Last server-list update: 20104d 11h 32m 14s ago
Last packages-list update: 20104d 11h 32m 14s ago
Core-Update available: no
Package-Updates available: 0
Reboot required: no

The line about missing core-list.db is the one that troubles me… if I try an update I get this instead:

[root@firewall pakfire]# ./pakfire update
server-list.db 100.00% |=============================>| 2.24 KB
DOWNLOAD ERROR: The downloaded file (2.29-x86_64/lists/server-list.db) wasn’t verified by IPFire.org. Sorry - Exiting…
TIME INFO: Time Server 85.199.214.99 has -0.000370 sec offset to localtime.

as you can see, the download went ok, but pakfire can’t validate the signature.

These are contents of pakfire dir:

[root@firewall pakfire]# ll .
total 24
lrwxrwxrwx 1 root root 23 Oct 12 13:48 cache → …/…/var/cache/pakfire
drwxr-xr-x 7 root root 89 Dec 6 16:40 db
drwxr-xr-x 3 root root 40 Dec 6 16:36 etc
drwxr-xr-x 2 root root 46 Oct 12 15:11 lib
lrwxrwxrwx 1 root root 21 Oct 12 13:48 logs → …/…/var/log/pakfire
-rwxr-xr-x 1 root root 15270 Oct 12 13:48 pakfire
-rw-r–r-- 1 root root 1648 Oct 12 13:48 pakfire-2018.key
-rw-r–r-- 1 root root 3163 Oct 12 13:48 pakfire-2022.key
drwxr-xr-x 2 root root 28 Dec 6 17:11 tmp

keys are present, but searching a bit around it seems that also a GPG store shoul be present, is this correct? If this is the issue, how can I fix this?

Thanks in advance,
Fabrizio

Welcome to the community.

Did you check the logs, either in /var/log/messages or in the WUI Logs->System Logs section pakfire?

Hi Bernhard! Thank for your message. Yes, I checked the logs, I didn’t post them earlier because it is actually the same information that’s given by command output:

Jan 16 12:45:32 firewall pakfire: PAKFIRE INFO: IPFire Pakfire 2.29-x86_64 started!
Jan 16 12:45:32 firewall pakfire: DOWNLOAD STARTED: 2.29-x86_64/lists/server-list.db
Jan 16 12:45:32 firewall pakfire: DOWNLOAD INFO: Host: pakfire.ipfire.org (HTTPS) - File: 2.29-x86_64/lists/server-list.db
Jan 16 12:45:32 firewall kernel: DROP_CTINVALID IN=red0 OUT= MAC=d8:bb:c1:66:8e:c5:c8:77:65:17:5d:35:08:00 SRC=157.240.231.174 D
ST=151.4.203.186 LEN=59 TOS=0x08 PREC=0x20 TTL=54 ID=5903 DF PROTO=TCP SPT=443 DPT=64690 WINDOW=267 RES=0x00 ACK PSH FIN URGP=0
Jan 16 12:45:32 firewall pakfire: DOWNLOAD INFO: 2.29-x86_64/lists/server-list.db has size of 2289 bytes
Jan 16 12:45:32 firewall pakfire: DOWNLOAD INFO: HTTP-Status-Code: 200 - 200 OK
Jan 16 12:45:32 firewall pakfire: DOWNLOAD INFO: File received. Start checking signature…
Jan 16 12:45:32 firewall pakfire: DOWNLOAD ERROR: The downloaded file (2.29-x86_64/lists/server-list.db) wasn’t verified by IPFi
re.org. Sorry - Exiting…
Jan 16 12:45:32 firewall kernel: IPv4: martian source 10.142.11.230 from 10.142.11.233, on dev green0
Jan 16 12:45:32 firewall kernel: ll header: 00000000: ff ff ff ff ff ff 00 1c b2 90 42 54 08 06
Jan 16 12:45:33 firewall pakfire: TIME INFO: Time Server 85.199.214.99 has -0.000370 sec offset to localtime.
Jan 16 12:45:33 firewall pakfire: PAKFIRE INFO: Pakfire has finished. Closing.

I’ve left in the snippet kernel messages also, but I don’t think they are related to pak session (the firewall is currently in production).

best regards,
Fabrizio

Hallo @hermooz

Welcome to the IPFire community.

Pakfire doesn’t like the fact that your system time is not fully synchronised. That can cause problems with the decryption process that is used on the downloaded packages.

Is your Time Server working okay. Are there any problems in the logs showing difficulty in accessing the ntp pool servers that you have defined.

I don’t think, it is the time difference. 0.000370 sec are very small.
There must be another problem with GPG. I remember that the message ‘TIME INFO: …’ is given because this the reason if all other GPG dependencies are fullfilled. IMO, it just means that GPG didn’t succeed.
A step-by-step sequence on the console may enlighten the problem:

• download server-list.db ( URL is documented in logs )
• check signature: GNUPGHOME=/opt/pakfire/etc/.gnupg gpg --verify --status-fd 1 <filename> ( this is done in pakfire, but errors are deleted )

Hi Adolf, thanks, but we’re talking about a third of a millisecond here. We are well within normal time drift even with NTP correctly operating (which I think it is, BTW)…

best regards!
Fabrizio

Thanks Bernhard, I think we’re up to something. I guess you were referring to “server-list.db” file and not to “service.db”. I manually downloaded it from mirror “Index of /pakfire2” and tried to check signature and this is the output:

[root@firewall tmp]# gpg --verify --status-fd 1 server-list.db
gpg: directory /root/.gnupg' created gpg: can't open /usr/share/gnupg/options.skel’: No such file or directory
gpg: keyring `/root/.gnupg/pubring.gpg’ created
gpg: Signature made Thu Jan 16 16:18:52 2025 CET using RSA key ID D713594B
[GNUPG:] ERRSIG 6FEF7A8ED713594B 1 10 01 1737040732 9
[GNUPG:] NO_PUBKEY 6FEF7A8ED713594B
gpg: Can’t check signature: public key not found

it seems pretty obvious that something went wrong in GPG installation in this box.

best regards,
Fabrizio

Some further investigation and trials show, you must set the GNUPG keys directory.
If have edited my last post.

OK! That’s something on which I can work… but at the end I’m still stuck. Sadly, I’m a little rusty about GPG. I’ve tried these steps:

1. create a local GPG key

#gpg --gen-key

2. download signer public key

#gpg --keyserver pgp.mit.edu --always-trust --recv-key 6FEF7A8ED713594B

3. locally sign imported key

#gpg --lsign-key 6FEF7A8ED713594B

4. trust signed key (fully)

#gpg --update-trustdb

After this, verification of downloaded file manually succeeds:

[root@firewall pakfire]# gpg  --verify --status-fd 1 /tmp/server-list.db
gpg: Signature made Thu Jan 16 16:18:52 2025 CET using RSA key ID D713594B
[GNUPG:] SIG_ID tKRead0Xx8YapWSPbuttpC3cXCE 2025-01-16 1737040732
[GNUPG:] GOODSIG 6FEF7A8ED713594B IPFire Pakfire Package Signing Key <pakfire@ipfire.org>
gpg: Good signature from "IPFire Pakfire Package Signing Key <pakfire@ipfire.org>"
[GNUPG:] VALIDSIG 3ECA8AA4478208B924BB96206FEF7A8ED713594B 2025-01-16 1737040732 0 4 0 1 10 01 3ECA8AA4478208B924BB96206FEF7A8ED713594B
[GNUPG:] TRUST_FULLY

but pakfire is still complaining

[root@firewall pakfire]# pakfire update
server-list.db       100.00% |=============================>|    2.24 KB
DOWNLOAD ERROR: The downloaded file (2.29-x86_64/lists/server-list.db) wasn't verified by IPFire.org. Sorry - Exiting...
TIME INFO: Time Server 185.157.229.254 has +0.004432 sec offset to localtime.

I’ve found that at least in some versions of IPFire GPG stores should reside under /opt/pakfire. So I repeated the whole process adding option “–home-dir=/opt/pakfire” to gpg commands, and this is the result:

[root@firewall pakfire]# ll
total 48
lrwxrwxrwx 1 root root    23 Oct 12 13:48 cache -> ../../var/cache/pakfire
drwxr-xr-x 7 root root    89 Dec  6 16:40 db
drwxr-xr-x 3 root root    40 Jan 16 16:29 etc
drwxr-xr-x 2 root root    46 Oct 12 15:11 lib
lrwxrwxrwx 1 root root    21 Oct 12 13:48 logs -> ../../var/log/pakfire
-rwxr-xr-x 1 root root 15270 Oct 12 13:48 pakfire
-rw-r--r-- 1 root root  1648 Oct 12 13:48 pakfire-2018.key
-rw-r--r-- 1 root root  3163 Oct 12 13:48 pakfire-2022.key
-rw------- 1 root root  2690 Jan 16 21:12 pubring.gpg
-rw------- 1 root root  2690 Jan 16 21:11 pubring.gpg~
-rw------- 1 root root   600 Jan 16 21:11 random_seed
-rw------- 1 root root  2537 Jan 16 21:09 secring.gpg
-rw-r--r-- 1 root root  2289 Jan 16 21:18 server-list.db
drwxr-xr-x 2 root root   116 Jan 16 21:24 tmp
-rw------- 1 root root  1360 Jan 16 21:12 trustdb.gpg

but still no luck… what am I getting wrong?

Best regards,
Fabrizio

You don’t have to create any gpg key. The public keys are installed on your IPFire system when it is installed.

ls -hal /opt/pakfire/
total 48K
drwxr-xr-x 6 root root 4.0K Oct 11 2023 .
drwxr-xr-x 3 root root 4.0K Oct 11 2023 …
lrwxrwxrwx 1 root root 23 Jun 9 2023 cache → …/…/var/cache/pakfire
drwxr-xr-x 7 root root 4.0K Jun 26 2023 db
drwxr-xr-x 3 root root 4.0K Jun 26 2023 etc
drwxr-xr-x 2 root root 4.0K Oct 11 2023 lib
lrwxrwxrwx 1 root root 21 Jun 9 2023 logs → …/…/var/log/pakfire
-rwxr-xr-x 1 root root 15K Jun 9 2023 pakfire
-rw-r–r-- 1 root root 1.7K Jun 9 2023 pakfire-2018.key
-rw-r–r-- 1 root root 3.1K Jun 9 2023 pakfire-2022.key
drwxr-xr-x 2 root root 4.0K Jan 16 04:53 tmp

You can see the two keys in that directory, one from 2018 and the other from 2022.

These two keys are imported into gpg when IPFire is booted as part of the pakfire initscript.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/initscripts/system/pakfire;hb=e0bc608bf8d1f7e81f3bd35a5d4454eed495f858#l30

Line 25 from that initscript was the additional part added in by @bbitsch into his command suggestion in post 5 of this thread. (excluding the word export from line 25))

Have you tried my advice?
As @bonnietwin mentioned the keys are installed already in IPFire.
pakfire sets the GNUPGHOME to /opt/pakfire/etc/.gnupg . With this gpg can check the file.
Do you have this directory and what is the contents?

Oh boy, I totally overlooked that part. I think I owe you both my apologies, you’ve been really helpful and I have wasted a lot of your time.

However, with this piece of info added to the picture I have solved the issue. Under GPG home there was an empty trustdb:

[root@firewall .gnupg]# ll
total 8
-rw------- 1 root root 3444 Dec  6 17:11 pubring.gpg
-rw------- 1 root root 1161 Dec  6 16:37 pubring.gpg~
-rw------- 1 root root    0 Dec  6 16:36 secring.gpg
-rw------- 1 root root    0 Dec  6 16:36 trustdb.gpg

file date/time are those of first installation. I can’t guess why it ended up empty, but GPG doesn’t like an empty trustdb file, as it seems (it complains “wrong format” or something like that). So I simply deleted the trustdb and imported keys anew:

[root@firewall .gnupg]# rm trustdb.gpg
rm: remove regular empty file 'trustdb.gpg'? y
[root@firewall .gnupg]# /etc/rc.d/init.d/pakfire start
Setting up Pakfire Package Manager...                                                                                  [  OK  ]

and just for good measure, I’ve also checked with the single command:

[root@firewall .gnupg]# gpg --import /opt/pakfire/pakfire-2018.key /opt/pakfire/pakfire-2022.key
gpg: key D713594B: "IPFire Pakfire Package Signing Key <pakfire@ipfire.org>" not changed
gpg: key C8DCE211: "IPFire Pakfire Package Signing Key <pakfire@ipfire.org>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2

and from this, everything looks good:

[root@firewall .gnupg]# gpg --list-keys
gpg: /opt/pakfire/etc/.gnupg/trustdb.gpg: trustdb created
/opt/pakfire/etc/.gnupg/pubring.gpg
-----------------------------------
pub   4096R/D713594B 2018-03-16
uid                  IPFire Pakfire Package Signing Key <pakfire@ipfire.org>

pub   4096R/C8DCE211 2022-03-21
uid                  IPFire Pakfire Package Signing Key <pakfire@ipfire.org>
sub   4096R/24695A3E 2022-03-21

[root@firewall .gnupg]# ls -la
total 12
drwx------ 2 root root   83 Jan 17 09:34 .
drwx------ 3 root root   78 Jan 16 21:45 ..
-rw------- 1 root root 3444 Dec  6 17:11 pubring.gpg
-rw------- 1 root root 1161 Dec  6 16:37 pubring.gpg~
-rw------- 1 root root    0 Jan 17 09:33 secring.gpg
-rw------- 1 root root 1200 Jan 17 09:34 trustdb.gpg

…and pakfire works like a charm:

[root@firewall .gnupg]# pakfire update
server-list.db       100.00% |=============================>|    2.24 KB
packages_list.db     100.00% |=============================>|    4.94 KB
core-list.db         100.00% |=============================>|   903.00 B
[root@firewall .gnupg]# pakfire install  nmap
PAKFIRE RESV: nmap: Resolving dependencies...


PAKFIRE INFO: Packages to install:
PAKFIRE INFO: nmap       - 4.67 MB

PAKFIRE INFO: Total size:        ~ 4.67 MB

PAKFIRE INFO: Is this okay? [y/N]
y
nmap-7.95-19.ipfi... 100.00% |=============================>|    4.63 MB

PAKFIRE INST: nmap: Decrypting...
PAKFIRE INST: nmap: Copying files and running post-installation scripts...
PAKFIRE INST: nmap: Finished.

case closed guys, and again, many thanks for your really precious support!

Ciao,
Fabrizio