Why so late warnings?

Sometimes I really don't understand why some warnings are displayed when it's yet late, when things are practically done. I've been warned that's impossible to install the software when it already reached 100%. About 1 GB tossed on the thrash :rage:.


I don't understand what it means with the solution proposed after the warning though.

Unfortunately, this error is one that probably could have been flagged at the very start of the process.

In this situation, GPG verification is a method of ensuring the downloaded files are whole, in-tact, and have not been tampered with after being published. This is to prevent your computer from attempting to install incomplete, corrupted, or malicious software.

It's saying that it downloaded everything and then tried to verify the GPG signature, only to notice at the last second that there is no such signature.

The problem here is that GPG verification is enabled by default, for very good reasons, so unless this happened to have been some glitch or connection issue that prevented your computer from finding the appropriate GPG signature (which you'd only maybe find out by just trying to install it again) then you cannot install that thing via the software store GUI right now. You will need to edit a config file for the remote server (the place that particular thing is being downloaded from when you click the Install button) so that the software store no longer attempts GPG verification. ONLY DO THIS IF YOU ACCEPT THE RISKS OF INSTALLING CORRUPT OR MALICIOUS SOFTWARE AND INTEND TO IMMEDIATELY UNDO THE CONFIG CHANGE AFTER INSTALLING THIS ONE, SINGLE THING.

As for how to make that config change... I'm sorry, I don't know. I've never had to do it myself, so I've never needed to learn where it is. From a quick online search, you may be able to just add the text gpg-verify=false as a new line at the end of the Flathub file in /etc/flatpak/remotes.d/.

Edit: a nicer solution than manually editing the file would be to run the following commands in a terminal one after the other, not at the same time.

flatpak remote-modify --no-gpg-verify flathub
flatpak update

Then after installing that one thing, undo the change:

flatpak remote-modify --gpg-verify flathub
flatpak update

Disclaimer: I have not attempted this so cannot guarantee it works or is safe.

Sources:

2 Likes
luca@Asus:~$ flatpak remote-modify --no-gpg-verify flathub
luca@Asus:~$ flatpak update
Looking for updates…


        ID                            Branch Op Remote  Download
 1. [✗] com.usebottles.bottles.Locale stable u  flathub   < 1,0 MB (partial)
 2. [✗] org.telegram.desktop          stable u  flathub  < 86,3 MB
 3. [✗] com.usebottles.bottles        stable u  flathub < 148,3 MB

Warning: Can't pull from untrusted non-gpg verified remote
Error: Can't pull from untrusted non-gpg verified remote
Error: Can't pull from untrusted non-gpg verified remote
Updates complete.
error: There were one or more errors

Should I go on anyway?

Yes, try to install that thing from the software store, see if that works.

1 Like

Now the warning was shorter.


Anyway I decided to be creative :grin: and tried a thing:

luca@Asus:~$ flatpak install nexuiz-classic
Looking for matches…
Found ref ‘app/com.alientrap.nexuiz-classic/x86_64/stable’ in remote ‘flathub’ (system).
Use this ref? [Y/n]: Y
Required runtime for com.alientrap.nexuiz-classic/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]: Y

Info: runtime org.freedesktop.Platform branch 21.08 is end-of-life, with reason:
   org.freedesktop.Platform 21.08 is no longer receiving fixes and security updates. Please update to a supported runtime version.
Info: applications using this runtime:
   com.alientrap.nexuiz-classic

Info: runtime org.freedesktop.Platform.GL.default branch 21.08 is end-of-life, with reason:
   org.freedesktop.Platform 21.08 is no longer receiving fixes and security updates. Please update to a supported runtime version.
Info: applications using this runtime:
   com.alientrap.nexuiz-classic

com.alientrap.nexuiz-classic permissions:
    network   pulseaudio   x11   devices



        ID                                             Branch            Op           Remote            Download
 1.     org.freedesktop.Platform.GL.default            21.08             i            flathub           < 129,8 MB
 2.     org.freedesktop.Platform.Locale                21.08             i            flathub           < 326,8 MB (partial)
 3.     org.freedesktop.Platform.openh264              2.0               i            flathub             < 1,5 MB
 4.     org.freedesktop.Platform                       21.08             i            flathub           < 202,1 MB
 5.     com.alientrap.nexuiz-classic                   stable            i            flathub           < 884,5 MB

Proceed with these changes to the system installation? [Y/n]:

Should I go on this way to see if it installs or it's not like a normal installation? If it's like downloading a game from the store I can accept it.

Yeah, you can try installing them that way, but it'll probably give you same error about pulling from untrusted remotes.

I have found another potential solution online; try running these three commands one-after-another:

sudo cp /var/lib/flatpak/repo/flathub.trustedkeys.gpg /var/lib/flatpak/repo/flathub.trustedkeys.gpg.bak
wget https://flathub.org/repo/flathub.gpg
sudo cp flathub.gpg /var/lib/flatpak/repo/flathub.trustedkeys.gpg

Source: gnupg - flatpak not working - apparently GPG issue - Stack Overflow

If that doesn't work, you'll probably want to remove the Flathub remote, reboot, add it back, and reboot again.

flatpak remote-delete flathub

reboot

flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo

reboot

Disclaimer: I have no idea if removing and re-adding Flathub like this might break the Zorin OS software store integration.

Sources:

1 Like

Yeah, in fact :point_down.

        ID                                  Branch Op Remote  Download
 1. [✗] org.freedesktop.Platform.GL.default 21.08  i  flathub < 129,8 MB
 2. [✗] org.freedesktop.Platform.Locale     21.08  i  flathub < 326,8 MB (partial)
 3. [✗] org.freedesktop.Platform.openh264   2.0    i  flathub   < 1,5 MB
 4. [✗] org.freedesktop.Platform            21.08  i  flathub < 202,1 MB
 5. [ ] com.alientrap.nexuiz-classic        stable i  flathub < 884,5 MB

Warning: Can't pull from untrusted non-gpg verified remote
Warning: Can't pull from untrusted non-gpg verified remote
Warning: Can't pull from untrusted non-gpg verified remote
Error: Can't pull from untrusted non-gpg verified remote
error: Failed to install org.freedesktop.Platform: Can't pull from untrusted non-gpg verified remote

Also, the procedure you suggested didn't work.

luca@Asus:~$ sudo cp /var/lib/flatpak/repo/flathub.trustedkeys.gpg /var/lib/flatpak/repo/flathub.trustedkeys.gpg.bak
[sudo] password for luca:     
luca@Asus:~$ wget https://flathub.org/repo/flathub.gpg
--2024-07-14 17:56:06--  https://flathub.org/repo/flathub.gpg
Resolution of flathub.org (flathub.org)... 2a04:4e42:4b::347, 199.232.57.91
Connection to flathub.org (flathub.org)|2a04:4e42:4b::347|:443... failed: Connection expired.
Connection to flathub.org (flathub.org)|199.232.57.91|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://dl.flathub.org/repo/flathub.gpg [more]
--2024-07-14 17:58:21-- https://dl.flathub.org/repo/flathub.gpg
Resolution of dl.flathub.org (dl.flathub.org)... 2a04:4e42:7d::347, 146.75.53.91
Connection to dl.flathub.org (dl.flathub.org)|2a04:4e42:7d::347|:443... failed: Connection expired.
Connection to dl.flathub.org (dl.flathub.org)|146.75.53.91|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2844 (2.8K) [application/octet-stream]
Saved in: 'flathub.gpg'

flathub.gpg         100%[===================>]   2,78K  --.-KB/s    in 0,003s  

2024-07-14 18:00:36 (797 KB/s) - ‘flathub.gpg’ saved [2844/2844]

luca@Asus:~$ sudo cp flathub.gpg /var/lib/flatpak/repo/flathub.trustedkeys.gpg
luca@Asus:~$ flatpak install nexuiz-classic
Looking for matches…
Found ref ‘app/com.alientrap.nexuiz-classic/x86_64/stable’ in remote ‘flathub’ (system).
Use this ref? [Y/n]: Y
Required runtime for com.alientrap.nexuiz-classic/x86_64/stable (runtime/org.freedesktop.Platform/x86_64/21.08) found in remote flathub
Do you want to install it? [Y/n]: Y

Info: runtime org.freedesktop.Platform branch 21.08 is end-of-life, with reason:
   org.freedesktop.Platform 21.08 is no longer receiving fixes and security updates. Please update to a supported runtime version.
Info: applications using this runtime:
   com.alientrap.nexuiz-classic

Info: runtime org.freedesktop.Platform.GL.default branch 21.08 is end-of-life, with reason:
   org.freedesktop.Platform 21.08 is no longer receiving fixes and security updates. Please update to a supported runtime version.
Info: applications using this runtime:
   com.alientrap.nexuiz-classic

com.alientrap.nexuiz-classic permissions:
    network     pulseaudio     x11    devices


        ID                                  Branch Op Remote  Download
 1. [✗] org.freedesktop.Platform.GL.default 21.08  i  flathub < 129,8 MB
 2. [✗] org.freedesktop.Platform.Locale     21.08  i  flathub < 326,8 MB (partial)
 3. [✗] org.freedesktop.Platform.openh264   2.0    i  flathub   < 1,5 MB
 4. [✗] org.freedesktop.Platform            21.08  i  flathub < 202,1 MB
 5. [ ] com.alientrap.nexuiz-classic        stable i  flathub < 884,5 MB

Warning: Can't pull from untrusted non-gpg verified remote
Warning: Can't pull from untrusted non-gpg verified remote
Warning: Can't pull from untrusted non-gpg verified remote
Error: Can't pull from untrusted non-gpg verified remote
error: Failed to install org.freedesktop.Platform: Can't pull from untrusted non-gpg verified remote

Now, since it failed, why should I use flatpak remote-delete flathub? It looks like that it will remove all flats that I installed, and I can't, they're mostly GBs and GBs of my games :grimacing:.

Now you've downloaded and copied over the latest GPG file from Flathub, try re-enabling GPG verification with:

flatpak remote-modify --gpg-verify flathub
1 Like

Wow, somehow this worked :astonished:.


But how is it possible? The previous commands that you suggested me failed (giving the same error outputs of the command flatpak install nexuiz-classic, both before and after entering the command flatpak remote-modify --no-gpg-verify flathub), now simply adding the GPG verification back and retrying just worked :face_with_raised_eyebrow:. But glad it did, thanks a lot :smile::handshake:.

It probably wasn't that re-enabling verification made it work, it seems that there was an issue with the Flathub GPG signature saved on your computer somehow. Flathub clearly requires verification, so downloading the latest GPG signature fixed the issue - it just didn't show until after re-enabling verification, at which point your computer actually used that new GPG signature and thus the software could install.

Glad you got it sorted :+1:

1 Like

By chance I found a file named flathub.gpg that has been created (not by me) and it's unreadable (opened with the text editor), do I let it there? Might it be useful again for the same situation? To test the thing I temporarily trashed it and I never saw any problems using GNOME Software, maybe until the next flat download :person_shrugging:.