Archlinux-keyring failed service in systemctl

I remember that 4 days ago there was a little archlinux keyring update in pamac to download.

I checked today my system with:
systemctl --failed

  UNIT                               LOAD   ACTIVE SUB    DESCRIPTION                               
● archlinux-keyring-wkd-sync.service loaded failed failed Refresh existing keys of archlinux-keyring

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
1 loaded units listed.

And since im using Manjaro, its my first time that this command (system check) showed a failed service.

Should i just ignore it or should i better just upgrade my system with the newest stable release Kernel that available today (possible fixed already?). Or is it better to fix it manually befor i do a stable release update?

inxi --admin --verbosity=7 --filter --no-host --width:

Summary
System:
  Kernel: 5.15.74-3-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    parameters: BOOT_IMAGE=/vmlinuz-5.15-x86_64
    root=UUID=eb235aa7-d461-413d-800e-ea57385703fb rw quiet apparmor=1
    retbleed=off security=apparmor
    resume=UUID=a44dd3c4-f5f1-4587-8934-6f7413d28d4f udev.log_priority=3
  Desktop: KDE Plasma v: 5.25.5 tk: Qt v: 5.15.6 wm: kwin_x11 vt: 1 dm: SDDM
    Distro: Manjaro Linux base: Arch Linux
Machine:
  Type: Desktop System: Gigabyte product: Z170X-UD3 v: N/A
    serial: <superuser required>
  Mobo: Gigabyte model: Z170X-UD3-CF v: x.x serial: <superuser required>
    UEFI-[Legacy]: American Megatrends v: F23d date: 12/01/2017
Memory:
  RAM: total: 15.58 GiB used: 8.2 GiB (52.7%)
  RAM Report: permissions: Unable to run dmidecode. Root privileges
    required.
CPU:
  Info: model: Intel Core i7-6700K bits: 64 type: MT MCP arch: Skylake-S
    gen: core 6 level: v3 note: check built: 2015 process: Intel 14nm family: 6
    model-id: 0x5E (94) stepping: 3 microcode: 0xF0
  Topology: cpus: 1x cores: 4 tpc: 2 threads: 8 smt: enabled cache:
    L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB desc: 4x256 KiB
    L3: 8 MiB desc: 1x8 MiB
  Speed (MHz): avg: 4500 high: 4501 min/max: 800/4700 scaling:
    driver: intel_pstate governor: performance cores: 1: 4500 2: 4500 3: 4500
    4: 4500 5: 4500 6: 4500 7: 4500 8: 4501 bogomips: 64026
  Flags: 3dnowprefetch abm acpi adx aes aperfmperf apic arat
    arch_capabilities arch_perfmon art avx avx2 bmi1 bmi2 bts clflush
    clflushopt cmov constant_tsc cpuid cpuid_fault cx16 cx8 de ds_cpl dtes64
    dtherm dts ept ept_ad erms est f16c flexpriority flush_l1d fma fpu
    fsgsbase fxsr ht hwp hwp_act_window hwp_epp hwp_notify ibpb ibrs ida
    intel_pt invpcid invpcid_single lahf_lm lm mca mce md_clear mmx monitor
    movbe mpx msr mtrr nonstop_tsc nopl nx pae pat pbe pcid pclmulqdq pdcm
    pdpe1gb pebs pge pln pni popcnt pse pse36 pti pts rdrand rdseed rdtscp
    rep_good sdbg sep smap smep ss ssbd sse sse2 sse4_1 sse4_2 ssse3 stibp
    syscall tm tm2 tpr_shadow tsc tsc_adjust tsc_deadline_timer vme vmx vnmi
    vpid x2apic xgetbv1 xsave xsavec xsaveopt xsaves xtopology xtpr
  Vulnerabilities:
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT
    vulnerable
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data mitigation: Clear CPU buffers; SMT vulnerable
  Type: retbleed status: Vulnerable
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl and seccomp
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, IBRS_FW,
    STIBP: conditional, RSB filling, PBRSB-eIBRS: Not affected
  Type: srbds mitigation: Microcode
  Type: tsx_async_abort mitigation: TSX disabled
Graphics:
  Device-1: NVIDIA TU102 [GeForce RTX 2080 Ti Rev. A] vendor: Micro-Star MSI
    driver: nvidia v: 520.56.06 alternate: nouveau,nvidia_drm non-free: 515.xx+
    status: current (as of 2022-10) arch: Turing code: TUxxx
    process: TSMC 12nm built: 2018-22 pcie: gen: 1 speed: 2.5 GT/s lanes: 16
    link-max: gen: 3 speed: 8 GT/s bus-ID: 01:00.0 chip-ID: 10de:1e07
    class-ID: 0300
  Display: x11 server: X.Org v: 21.1.4 compositor: kwin_x11 driver: X:
    loaded: nvidia gpu: nvidia display-ID: :0 screens: 1
  Screen-1: 0 s-res: 2560x1440 s-dpi: 122 s-size: 532x302mm (20.94x11.89")
    s-diag: 612mm (24.08")
  Monitor-1: DP-4 res: 2560x1440 dpi: 123 size: 527x296mm (20.75x11.65")
    diag: 604mm (23.8") modes: N/A
  OpenGL: renderer: NVIDIA GeForce RTX 2080 Ti/PCIe/SSE2 v: 4.6.0 NVIDIA
    520.56.06 direct render: Yes
Audio:
  Device-1: Intel 100 Series/C230 Series Family HD Audio vendor: Gigabyte
    driver: snd_hda_intel v: kernel bus-ID: 00:1f.3 chip-ID: 8086:a170
    class-ID: 0403
  Device-2: NVIDIA TU102 High Definition Audio vendor: Micro-Star MSI
    driver: snd_hda_intel v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 16
    bus-ID: 01:00.1 chip-ID: 10de:10f7 class-ID: 0403
  Device-3: Creative Labs Sound Core3D [Sound Blaster Recon3D / Z-Series]
    driver: snd_hda_intel v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 1
    bus-ID: 0b:00.0 chip-ID: 1102:0012 class-ID: 0403
  Sound API: ALSA v: k5.15.74-3-MANJARO running: yes
  Sound Server-1: JACK v: 1.9.21 running: no
  Sound Server-2: PulseAudio v: 16.1 running: yes
  Sound Server-3: PipeWire v: 0.3.58 running: yes
Network:
  Device-1: Intel Ethernet I219-V vendor: Gigabyte driver: e1000e v: kernel
    port: N/A bus-ID: 00:1f.6 chip-ID: 8086:15b8 class-ID: 0200
  IF: enp0s31f6 state: up speed: 1000 Mbps duplex: full mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: noprefixroute scope: link
  WAN IP: <filter>
Bluetooth:
  Message: No bluetooth data found.
Logical:
  Message: No logical block device data found.
RAID:
  Message: No RAID data found.
Drives:
  Local Storage: total: 4.57 TiB used: 92.79 GiB (2.0%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung model: SSD 960 EVO 500GB
    size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 type: SSD serial: <filter> rev: 2B7QCXE7 temp: 24.9 C scheme: GPT
  ID-2: /dev/sda maj-min: 8:0 vendor: Samsung model: SSD 860 PRO 1TB
    size: 953.87 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
    type: SSD serial: <filter> rev: 2B6Q scheme: MBR
  ID-3: /dev/sdb maj-min: 8:16 vendor: HGST (Hitachi) model: HDN724030ALE640
    size: 2.73 TiB block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s
    type: HDD rpm: 7200 serial: <filter> rev: A5E0 scheme: GPT
  ID-4: /dev/sdc maj-min: 8:32 type: USB vendor: Samsung model: Portable SSD
    T5 size: 465.76 GiB block-size: physical: 512 B logical: 512 B type: SSD
    serial: <filter> scheme: MBR
  Message: No optical or floppy data found.
Partition:
  ID-1: / raw-size: 88.61 GiB size: 86.66 GiB (97.80%) used: 24.6 GiB (28.4%)
    fs: ext4 dev: /dev/sdc1 maj-min: 8:33 label: N/A
    uuid: eb235aa7-d461-413d-800e-ea57385703fb
  ID-2: /boot raw-size: 200 MiB size: 188.2 MiB (94.09%) used: 66.8 MiB
    (35.5%) fs: ext3 dev: /dev/sdc3 maj-min: 8:35 label: N/A
    uuid: 26eda82e-b403-49b8-abca-202167417020
  ID-3: /home raw-size: 332.03 GiB size: 325.75 GiB (98.11%) used: 22.3 GiB
    (6.8%) fs: ext4 dev: /dev/sdc4 maj-min: 8:36 label: N/A
    uuid: ada4a6a2-bd0a-4652-b386-7c637bba7ee9
  ID-4: /media/temp raw-size: 63.48 GiB size: 62.18 GiB (97.96%) used: 45.78
    GiB (73.6%) fs: ext4 dev: /dev/sdb1 maj-min: 8:17 label: temp
    uuid: 1e81b7c2-3438-438a-b572-ff8a966a78e1
Swap:
  Kernel: swappiness: 10 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: partition size: 2.93 GiB used: 57.5 MiB (1.9%)
    priority: -2 dev: /dev/sdc2 maj-min: 8:34 label: N/A
    uuid: a44dd3c4-f5f1-4587-8934-6f7413d28d4f
Unmounted:
  ID-1: /dev/nvme0n1p1 maj-min: 259:1 size: 442.47 GiB fs: ntfs label: ssm
    uuid: AE7EDC0696B158FD
  ID-2: /dev/sda1 maj-min: 8:1 size: 50 MiB fs: ntfs
    label: System-reserviert uuid: B2286A122869D5BF
  ID-3: /dev/sda2 maj-min: 8:2 size: 293.16 GiB fs: ntfs label: win10
    uuid: 5E60C09860C077F3
  ID-4: /dev/sda3 maj-min: 8:3 size: 515 MiB fs: ntfs label: N/A
    uuid: 20E8D914E8D8E954
  ID-5: /dev/sda4 maj-min: 8:4 size: 585.94 GiB fs: ntfs label: games
    uuid: 165692E31D7ADAF2
  ID-6: /dev/sdb2 maj-min: 8:18 size: 1.57 TiB fs: <superuser required>
    label: N/A uuid: N/A
  ID-7: /dev/sdb3 maj-min: 8:19 size: 1.09 TiB fs: <superuser required>
    label: N/A uuid: N/A
USB:
  Hub-1: 1-0:1 info: Hi-speed hub with single TT ports: 16 rev: 2.0
    speed: 480 Mb/s chip-ID: 1d6b:0002 class-ID: 0900
  Device-1: 1-9:2 info: Endor AG ClubSportPedal type: HID
    driver: hid-generic,usbhid interfaces: 1 rev: 2.0 speed: 12 Mb/s
    power: 100mA chip-ID: 0eb7:183b class-ID: 0300
  Device-2: 1-13:3 info: A4Tech XL-730K / XL-750BK XL-755BK Mice
    type: Keyboard,Mouse driver: hid-generic,usbhid interfaces: 2 rev: 1.1
    speed: 12 Mb/s power: 100mA chip-ID: 09da:9090 class-ID: 0301
  Hub-2: 2-0:1 info: Super-speed hub ports: 10 rev: 3.0 speed: 5 Gb/s
    chip-ID: 1d6b:0003 class-ID: 0900
  Device-1: 2-5:2 info: Samsung Portable SSD T5 type: Mass Storage
    driver: uas interfaces: 1 rev: 3.1 speed: 5 Gb/s power: 896mA
    chip-ID: 04e8:61f5 class-ID: 0806 serial: <filter>
  Hub-3: 3-0:1 info: Hi-speed hub with single TT ports: 2 rev: 2.0
    speed: 480 Mb/s chip-ID: 1d6b:0002 class-ID: 0900
  Hub-4: 4-0:1 info: Super-speed hub ports: 4 rev: 3.1 speed: 10 Gb/s
    chip-ID: 1d6b:0003 class-ID: 0900
  Hub-5: 5-0:1 info: Hi-speed hub with single TT ports: 2 rev: 2.0
    speed: 480 Mb/s chip-ID: 1d6b:0002 class-ID: 0900
  Hub-6: 6-0:1 info: Super-speed hub ports: 2 rev: 3.1 speed: 10 Gb/s
    chip-ID: 1d6b:0003 class-ID: 0900
Sensors:
  System Temperatures: cpu: 51.0 C mobo: N/A gpu: nvidia temp: 31 C
  Fan Speeds (RPM): N/A gpu: nvidia fan: 25%
Info:
  Processes: 247 Uptime: 2d 1h 6m wakeups: 1 Init: systemd v: 251
  default: graphical tool: systemctl Compilers: gcc: 12.2.0 clang: 14.0.6
  Packages: 1464 pm: pacman pkgs: 1459 libs: 414 tools: pamac pm: flatpak
  pkgs: 5 Shell: Bash v: 5.1.16 running-in: konsole inxi: 3.3.22

See:

I saw this already closed topic before… but i really dont see the answer for me there.

I dont have a bug in journal just in systemctl service… i also dont understand the solved message,
i have absolute no idea what he is talking about, i dont see a clear answer for me he is talking cryptic.

All i know there is a service with a failed loading error and i never had something like this before :thinking:

It’s good you investigate, but IMO the failure of this particular service/timer is not critical and does not affect your machine, as long as all pamac key checks for packages (new installs or updates) are ok. If your pacman’s config is the default RemoteFileSigLevel = Required, packages are checked against the archlinux-keys. If there happens to be an outdated key, verification will noticibly fail and the upgrade aborted. That part is important for your system.

The service which fails tries to eliminate cases of marginal trust with recently updated keys, by performing updates in the background, i.e. while you don’t update the system interactively (which would update the archlinux-keyring like the timer already did). See the scripts documentation.

What happens with the status after you do a systemctl restart archlinux-keyring-wkd-sync.service?

1 Like

Thank you for your detailed answer :slight_smile:

[koboldx@koboldx-z170 ~]$ systemctl restart archlinux-keyring-wkd-sync.service
[koboldx@koboldx-z170 ~]$ systemctl --failed
  UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.
systemctl status archlinux-keyring-wkd-sync.service
× archlinux-keyring-wkd-sync.service - Refresh existing keys of archlinux-keyring
     Loaded: loaded (/usr/lib/systemd/system/archlinux-keyring-wkd-sync.service; static)
     Active: failed (Result: exit-code) since Wed 2022-11-02 19:20:58 CET; 5min ago
   Duration: 30.610s
TriggeredBy: ● archlinux-keyring-wkd-sync.timer
    Process: 1122205 ExecStart=/usr/bin//archlinux-keyring-wkd-sync (code=exited, status=2)
   Main PID: 1122205 (code=exited, status=2)
        CPU: 1.360s

Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122205]: Skipping key FF40BDC4E11136D2CF6604E1A3E2143E7E158726 with UID nitram.robits@protonmail.com...
Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122205]: Skipping key A35085A5C16DB631D00AC4E6514C16D183F75F09 with UID jacobcantele@protonmail.com...
Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122205]: Skipping key 5C251B5FC54EB2F80F407AAAC54CA336CFEB557E with UID zbyszek@in.waw.pl...
Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122205]: Skipping key 3A24BC1E8FB409FA9F14371813FCEF89DD9E3C4F with UID nickc@redhat.com...
Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122205]: Refreshing key B8151B117037781095514CA7BBDFFC92306B1121 with UID andrew@archlinux.org...
Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122399]: gpg: error retrieving 'andrew@archlinux.org' via WKD: No data
Nov 02 19:20:58 koboldx-z170 archlinux-keyring-wkd-sync[1122399]: gpg: error reading key: No data
Nov 02 19:20:58 koboldx-z170 systemd[1]: archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Nov 02 19:20:58 koboldx-z170 systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.
Nov 02 19:20:58 koboldx-z170 systemd[1]: archlinux-keyring-wkd-sync.service: Consumed 1.360s CPU time.

This is the same error as in the other thread. AFAIK Andrew’s key expired in August and is not part of the current archlinux-keyring' - what's the version of the package on your system? You likely still find him listed in it, (pacman-key -l andrew@a`) and that’s why the service fails.

I have absolute no idea what you talking about.

I have archlinux-keyring version 20220927-1
and Packager Christian Hesse
Build Date 09.27

Ok, archlinux-keyring version 20220927-1 is uptodate.
My point is that the gpg key which appears in your error log, should not be in the keyring with that version anymore. So, it is odd that the error still appears on your system. To check yourself, list keys:

$ pacman-key -l andrew@a
gpg: Note: trustdb not writable
gpg: error reading key: No public key
==> ERROR: A specified key could not be listed.

That’s the output on my system, where the script you investigate works.

1 Like

I have this:

pacman-key -l andrew@a
gpg: Note: trustdb not writable
pub   rsa2048 2017-06-04 [SC] [expired: 2019-06-04]
      B8151B117037781095514CA7BBDFFC92306B1121
uid           [ expired] Andrew Gregory (pacman) <andrew@archlinux.org>

See, that key is creating the error until the script itself is changed upstream. Although we still don’t know why it’s not present on my keyring, you have three options with regard to the failing service:

  1. You ignore the warning and let it fail until upstream Arch is updating or removing the script,

  2. you run systemctl disable the service for the time being (as it’s not critical to run, as long as you perform the regular full updates), or

  3. you edit the keyring (man pacman-key), exporting the expired key and deleting it in the keyring.

1 Like

Sry, my english is not native.
Do you mean with the next keyring update, its maybe possible that this error vanished anyways?

When this keyring file is not unique. A more easy way would that to copy and replace the file from another PC?

I have a Laptop here with Manjaro KDE also, where i dont have this problem.

When Arch upstream adjusts the script that produces the error, the error will vanish.

No, that’s hacking around the provided tools with the risk of screwing up your system for a bogus error message.

1 Like

FYI: Script changes in progress …

https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/202

1 Like

hmm, what does it mean? Will a hotfix be released soon?

It’s already on your system, if you updated it. Try it:
sudo systemctl restart archlinux-keyring-wkd-sync.service
does it still fail or not?
(edit: archlinux-keyring 20221110-1 contains referred to commit)

1 Like

Yes there was some changes, but im not so sure if this is really a final fix… because something looks a little bid off, because the expired key is still there and doesnt look like the output on your system:

pacman-key -l andrew@a
gpg: Note: trustdb not writable
pub   rsa2048 2017-06-04 [SC] [expired: 2019-06-04]
      B8151B117037781095514CA7BBDFFC92306B1121
uid           [ expired] Andrew Gregory (pacman) <andrew@archlinux.org>

nope, its no longer fail.


Edit

Thats the new status:

systemctl status archlinux-keyring-wkd-sync.service
○ archlinux-keyring-wkd-sync.service - Refresh existing keys of archlinux-keyring
     Loaded: loaded (/usr/lib/systemd/system/archlinux-keyring-wkd-sync.service; static)
     Active: inactive (dead)
TriggeredBy: ● archlinux-keyring-wkd-sync.timer

Alright, fixed then. Inactive means it has run and will do so again (weekly).

It is absolutely no problem that the expired key is still in your keyring. It is expired, pacman will reject a package signed with it. Ok?

Edit: Imagine you did not use the machine for some time. During this time an update of archlinux-keyring removed said key. Now you update the machine, but the subsequent archlinux-keyring update will not remove it again (which might prompt warnings for everyone updating regularly). Hence, it remains (expired) in the keyring. To ensure such inconsistencies of skipping updates don’t mess up your update, the active keys get updated via this service once a week.

1 Like

Allright, thanks for your time :slight_smile:

Who needs patches when there is sed

sudo sed -i \
         -e '40i error=0' \
         -e '$a \\nexit ${error}' \
         -e 's/\("${gpg_locate_external\[@\]}" "${fpr_email\[1\]}"\)/\1 || let ++error/' \
         /usr/bin/archlinux-keyring-wkd-sync

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.