Problem to install on Arch Linux

[dflvunoooooo]

Maybe I am too stupid to install this app. I downloaded the arch linux packages, verified the signature and tried to install. But it fails with the following errors

loading packages...
error: /home/brian/Downloads/go-hass-agent-7.3.0-1-x86_64.pkg.tar.zst: signature format error
error: GPGME error: No data
error: '/home/brian/Downloads/go-hass-agent-7.3.0-1-x86_64.pkg.tar.zst': invalid or corrupted package (PGP signature)
 -> exit status 1

I tried to install with sudo pacman -U ~/Downloads/go-hass-agent-7.3.0-1-x86_64.pkg.tar.zst.

[joshuar]

Hey that is odd. I don't use Arch but I know other users are and have got the agent working. I wonder if something happened to the file you downloaded? Can you try verifying the file:

1. Install cosign with pacman -S cosign
2. Download the public key from the repo with curl -L -O https://github.com/joshuar/go-hass-agent/raw/main/cosign.pub
3. Download the signature for the arch package with curl -L -O https://github.com/joshuar/go-hass-agent/releases/download/v7.3.0/go-hass-agent-7.3.0-1-x86_64.pkg.tar.zst.sig
4. Verify the arch package with cosign verify-blob --key cosign.pub --signature go-hass-agent-*.zst.sig go-hass-agent-*.zst

Make sure the package file, signature file and public key are all in the same directory. Or specify the paths in the cosign command (Step 4).

If you don't get a Verified OK output after running the cosign command, something is wrong with the arch package you downloaded. You could try downloading it again.

I just spun up an Arch virtual machine and tried installing the arch package and it seems to work for me, the agent opens the UI window for entering registration details.

I'm not sure if there is a way to get more info from the pacman installation command if the above fails?

[dflvunoooooo]

Thank you for your answer! It is working in your VM? And you installed it with sudo pacman -U go-hass-agent-7.3.0-1-x86_64.pkg.tar.zst? Very strange.

I did all four steps, verification resulted with Verified OK. Installation still fails. I have no problem to download and install other packages. Just tried it from the arch linux archive. The error indicates, that there is something wrong with the signature file. You can not get more information, but look in the log. I will dig in pacman.

[dflvunoooooo]

It was a problem with the signature file. After deleting go-hass-agent-7.3.0-1-x86_64.pkg.tar.zst.sig pacman didn't complain and intalled it. I don't know why this happened. In the pacman config under /etc/pacman.conf there are two options SigLevel and LocalFileSigLevel. In my case it was LocalFileSigLevel = Optional. So after deleting the signature file, pacman did install it.

Thank you for your help! And trying it on another arch machine.

[joshuar]

Awesome that it is now working somewhat! I think the problem here is that pacman is expecting a PGP key, while I am using a different method for signing, with different keys. However, it seems they all share the same file extension and so pacman is getting confused and claiming the package is invalid/corrupted.

It might be that you can change the package verification on pacman command-line as a one-time for installing the agent? Then you won't have to change your general pacman configuration for all other packages, hopefully. You can always follow the steps above to verify the agent package independently for each release if desired.

I'll look into whether there is better integration for Arch users with the signing process I am using. Or at the very least, some more documentation if needed to describe the above. TIL I learned a bunch more signing/verification knowledge!

[dflvunoooooo]

Ah, that may be the case. Yes pacman will look for a .tar.zst.sig file and try to verify the package with that.

I think you can only change the pacman behaviour in the pacman settings, but I am not sure. But the standard is, to verify with pacman downloaded packages always and local files if there is a file. So verifying with cosign and deleting the .sig file before installation is alright.

On the other hand, if signing with PGP is not a big bother for you. Then one wouldn't have to use cosign, since pacman will check automatically.

[joshuar]

Thanks for the details on pacman signing! Hmm, so I might defer on this for now. A long term solution here would be to get the agent in the package repositories for the distributions, so you could just do a pacman -S go-hass-agent or dnf install go-hass-agent etc., no URL, no signing shenanigans. That is a longer term goal for me though.

[dflvunoooooo]

That is, of cause, the best solution. Until the packages is in the repo, verifying with cosign, deleting the .sig file and installing with pacman does work. In case someone else stumbles about this problem too.