5

I have some problems since two weeks to install packages using tlmgr. I'm not using TeXlive, but TinyTeX. When I try to install a package, I get some errors like the following:

sudo tlmgr install tcolorbox
query_ctan_mirror: Programs not set up, trying wget
cannot contact mirror.ctan.org, returning a backbone server!

tlmgr: verification of checksum for http://www.ctan.org/tex-archive/systems/texlive/tlnet failed: cryptographic signature verification of
  /tmp/LyMLZ8jFA1/EC2vcQRbQR
against
  http://www.ctan.org/tex-archive/systems/texlive/tlnet/tlpkg/texlive.tlpdb.sha512.asc
failed. Output was:
gpg: Signature made Tue Dec  3 00:55:21 2019 UTC using RSA key ID 19438C70
gpg: BAD signature from "TeX Live Distribution <tex-live@tug.org>"

Please try from a different mirror and/or wait a few minutes
and try again; usually this is because of transient updates.
If problems persist, feel free to report to texlive@tug.org.

Perhaps I could reinstall TinyTeX, but I'm afraid if it doesn't work, I can't use my LaTeX system anymore. Perhaps the problem is the following: I changed my Linux distribution and I didn't reinstall TinyTex. It's because TinyTex is entirely in my home folder. And with my new Linux distributon gnupg version 1 is the default and before it was gnupg version 2.

Thank you for your help.

Luc Armand
  • 261
  • Probably unrelated but why is this going directly against www.ctan.org, wouldn't you normally get data from a mirror instead of straining the main ctan site – daleif Dec 03 '19 at 08:31

2 Answers2

3

Thank you for your comment! The reason why I was using www.ctan.org, was because when I began managing my TeX system with tlmgr it worked without specifying a mirror. When I specify a mirror, for example:

sudo tlmgr info tcolorbox --repository http://ftp.fau.de/ctan/systems/texlive/tlnet/

it works without problems. I still don't know the problem, but it's solved!

Luc Armand
  • 261
1

Another option is to bypass the verification of the signatures, with the --verify-repo=none option. According to tlmgr's manual,

--verify-repo=[none|main|all]

Defines the level of verification done: If "none" is specified, no verification whatsoever is done. If "main" is given and a working GnuPG ("gpg") binary is available, all repositories are checked, but only the main repository is required to be signed. If "all" is given, then all repositories need to be signed. See "CRYPTOGRAPHIC VERIFICATION" below for details.

Note that this is a potential security risk, as you are not checking if the server has not been corrupted / compromised.

Clément
  • 5,591