Archlinux keyring fails to update

Support System Updates
1

Updater says 4 new packages available. Cant update due to bad keys. Did some forum hunting and followed advice:

Step 1. sudo pacman-mirrors -f 5
Step 2. sudo pacman-key --init
Step 3. sudo pacman -S manjaro-keyring archlinux-keyring
Step 4. sudo pacman-key --populate manjaro archlinux

Step 1 and 2 worked. Failed at Step 3 with the following error:

error: archlinux-keyring: signature from “Christian Hesse eworm@archlinux.org” is unknown trust
:: File /var/cache/pacman/pkg/archlinux-keyring-20240609-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

Not sure what my next steps are. Please advise.
Thanks.

2

The following approach has worked for me in the past:

1. Remove old (and possibly broken) keys by entering this command:

sudo rm -r /etc/pacman.d/gnupg 

2. Reinstall keyrings including the latest keys:

sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring

3. Initialize the pacman keyring:

sudo pacman-key --init 

4. Load the signature keys:

sudo pacman-key --populate archlinux manjaro 

5. Refresh and update the signature keys:

sudo pacman-key --refresh-keys 

6. Clear out the software packages downloaded during the aborted installation (optional):

sudo pacman -Sc
1 Like
3
1 Like
4

Your steps listed do not work. Step 2 errors out.

5

Use the linked script and set the aggressive flag.

6

This link shows two solutions:

I tried Solution 1 first and it failed. I tried solution #2 and it failed at this step: sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring

The failure is as follows:

sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring                                                                          ✔ 
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 multilib is up to date
warning: gnupg-2.4.5-1 is up to date -- reinstalling
warning: archlinux-keyring-20240609-1 is up to date -- reinstalling
warning: manjaro-keyring-20230719-2 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (3) archlinux-keyring-20240609-1  gnupg-2.4.5-1  manjaro-keyring-20230719-2

Total Download Size:    3.84 MiB
Total Installed Size:  11.38 MiB
Net Upgrade Size:       1.66 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 archlinux-keyring-20240609-1-any                         1193.9 KiB  2.46 MiB/s 00:00 [--------------------------------------------------] 100%
 gnupg-2.4.5-1-x86_64                                        2.7 MiB  4.81 MiB/s 00:01 [--------------------------------------------------] 100%
 Total (2/2)                                                 3.8 MiB  6.37 MiB/s 00:01 [--------------------------------------------------] 100%
(3/3) checking keys in keyring                                                         [--------------------------------------------------] 100%
downloading required keys...
:: Import PGP key 9B7A287D9A2EC608, "David Runge <dvzrv@archlinux.org>"? [Y/n] y
:: Import PGP key 6D42BDD116E0068F, "Christian Hesse <eworm@archlinux.org>"? [Y/n] y
(3/3) checking package integrity                                                       [--------------------------------------------------] 100%
error: gnupg: signature from "David Runge <dvzrv@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/gnupg-2.4.5-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: archlinux-keyring: signature from "Christian Hesse <eworm@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/archlinux-keyring-20240609-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

7

Thanks for the info. So I can just paste the following 2 lines at the command prompt?

export URL=“https://notabug.org/megavolt/random-scripts/raw/master/fix-gpg-pacman.sh

bash <(curl -s “$URL”) --aggressive

8

If everything fails, as the signatures are from archlinux.org members you can install keyrings without checking signature trust:

9

If have a bit more time, you could start with basic and work your way up to aggressive.

I would not update the keys from the servers, when your asked by the script.

And don’t follow the tip above and blindly disable PGP signatures.

10

First, thanks for your help. The summary is I found a way to get my system updated, but I don’t think I solved the original problem.

Here is a summary of what I did.

Step #1. Run the script with --basic. This failed with the following error:

[INFO] Performing a full upgrade with pacman
[QUESTION] Do you want to continue? [Yy/Nn] (Be aware that a full upgrade needs enough ram on a live session)
> [Yy/Nn] y
[sudo] password for mezzo: 
:: Synchronizing package databases...
 core                                                                    140.0 KiB   371 KiB/s 00:00 [------------------------------------------------------------] 100%
 extra                                                                     8.3 MiB  10.5 MiB/s 00:01 [------------------------------------------------------------] 100%
 multilib                                                                144.7 KiB   374 KiB/s 00:00 [------------------------------------------------------------] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (4) brave-browser-1.67.119-1  inxi-3.3.35.1-1  onlyoffice-desktopeditors-8.1.0-1  thunderbird-115.12.1-1

Total Download Size:     55.20 MiB
Total Installed Size:  1385.52 MiB
Net Upgrade Size:         3.67 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 thunderbird-115.12.1-1-x86_64                                            55.2 MiB  27.6 MiB/s 00:02 [------------------------------------------------------------] 100%
(4/4) checking keys in keyring                                                                       [------------------------------------------------------------] 100%
downloading required keys...
:: Import PGP key 244740D17C7FD0EC, "Leonidas Spyropoulos <artafinde@archlinux.org>"? [Y/n] 
(4/4) checking package integrity                                                                     [------------------------------------------------------------] 100%
error: thunderbird: signature from "Leonidas Spyropoulos (Arch Linux Packager key) <artafinde@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/thunderbird-115.12.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
[INFO] Done. Note that you need to refresh the database for pamac also.

Step #2: I tried the script with the --moderate. It failed with the following error:

[INFO] Remove cached software packages [optional]
[QUESTION] Delete them? [Yy/Nn]
[Yy/Nn] > n
[INFO] Performing a full upgrade with pacman
[QUESTION] Do you want to continue? [Yy/Nn] (Be aware that a full upgrade needs enough ram on a live session)
> [Yy/Nn] y
:: Synchronizing package databases...
 core                                                                    140.0 KiB  25.9 KiB/s 00:05 [------------------------------------------------------------] 100%
 extra                                                                     8.3 MiB  1471 KiB/s 00:06 [------------------------------------------------------------] 100%
 multilib                                                                144.7 KiB  26.7 KiB/s 00:05 [------------------------------------------------------------] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (4) brave-browser-1.67.119-1  inxi-3.3.35.1-1  onlyoffice-desktopeditors-8.1.0-1  thunderbird-115.12.1-1

Total Download Size:     55.20 MiB
Total Installed Size:  1385.52 MiB
Net Upgrade Size:         3.67 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 thunderbird-115.12.1-1-x86_64                                            55.2 MiB  23.5 MiB/s 00:02 [------------------------------------------------------------] 100%
(4/4) checking keys in keyring                                                                       [------------------------------------------------------------] 100%
downloading required keys...
:: Import PGP key 244740D17C7FD0EC, "Leonidas Spyropoulos <artafinde@archlinux.org>"? [Y/n] 
(4/4) checking package integrity                                                                     [------------------------------------------------------------] 100%
error: thunderbird: signature from "Leonidas Spyropoulos (Arch Linux Packager key) <artafinde@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/thunderbird-115.12.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
[INFO] Done. Note that you need to refresh the database for pamac also.

Note: When the script asked if I wanted to, “Remove cached software packages (optional)” I chose No. I don’t think it would have helped if I did, but I believe you would be a better judge of that.

Step #3: At this point I didn’t think using the --aggressive flag was going to help. So I took a different approach and uninstalled thunderbird. thunderbird is signed by the key that was being reported as corrupted.

Step #4: update the system with gui updater and three packages were successfully updated (brave-browser, inxi and onlyoffice-desktopeditors) and now my system is up to date.

Step #5: Attempt to re-install thunderbird. It failed, complaining about a corrupt key.

In conclusion:
SO, my sytem IS updatted, BUT I still have something wrong that will probably cause issues when the next new system update is ready.

Where do I go from here?

Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text

11

You can’t break anything with the script.
Use the aggressive method and let it clear the cache.

12

Well, for one:

:wink:

13

I did try the --aggressive method. There were some errors:

removed '/var/cache/pacman/pkg/rpcbind-1.2.6-3-x86_64.pkg.tar.zst.sig'
removed '/var/cache/pacman/pkg/ksystemlog-23.08.5-1-x86_64.pkg.tar.zst'
removed '/var/cache/pacman/pkg/bovo-24.02.2-1-x86_64.pkg.tar.zst'
removed '/var/cache/pacman/pkg/libgusb-0.4.8-1-x86_64.pkg.tar.zst.sig'
[INFO] Create a temporary folder in /tmp
[INFO] /tmp/tmp.0VYk0PxupA
[INFO] Copy /etc/pacman.conf to /tmp/tmp.0VYk0PxupA/pacman.conf and disable temporarily gpg verification.
[INFO] Download the newest packages which contains the gpg keyrings in /tmp/tmp.0VYk0PxupA
:: Synchronizing package databases...
 core                                                                             140.0 KiB   591 KiB/s 00:00 [------------------------------------------------------------------] 100%
 extra                                                                              8.3 MiB  16.4 MiB/s 00:01 [------------------------------------------------------------------] 100%
 multilib                                                                         144.7 KiB   762 KiB/s 00:00 [------------------------------------------------------------------] 100%
resolving dependencies...

Packages (3) archlinux-keyring-20240609-1  gnupg-2.4.5-1  manjaro-keyring-20230719-2

Total Download Size:  3.93 MiB

:: Proceed with download? [Y/n] 
:: Retrieving packages...
 archlinux-keyring-20240609-1-any                                                1193.9 KiB  12.5 MiB/s 00:00 [------------------------------------------------------------------] 100%
 gnupg-2.4.5-1-x86_64                                                               2.7 MiB  5.43 MiB/s 00:00 [------------------------------------------------------------------] 100%
 manjaro-keyring-20230719-2-any                                                    84.7 KiB   170 KiB/s 00:00 [------------------------------------------------------------------] 100%
 Total (3/3)                                                                        3.9 MiB  7.90 MiB/s 00:00 [------------------------------------------------------------------] 100%
(3/3) checking keys in keyring                                                                                [------------------------------------------------------------------] 100%
(3/3) checking package integrity                                                                              [------------------------------------------------------------------] 100%
[INFO] Install temporarily downloaded keyring packages
loading packages...
warning: archlinux-keyring-20240609-1 is up to date -- reinstalling
warning: gnupg-2.4.5-1 is up to date -- reinstalling
warning: manjaro-keyring-20230719-2 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (3) archlinux-keyring-20240609-1  gnupg-2.4.5-1  manjaro-keyring-20230719-2

Total Installed Size:  11.38 MiB
Net Upgrade Size:       1.66 MiB

:: Proceed with installation? [Y/n] 
(3/3) checking keys in keyring                                                                                [------------------------------------------------------------------] 100%
(3/3) checking package integrity                                                                              [------------------------------------------------------------------] 100%
(3/3) loading package files                                                                                   [------------------------------------------------------------------] 100%
(3/3) checking for file conflicts                                                                             [------------------------------------------------------------------] 100%
error: failed to commit transaction (conflicting files)
archlinux-keyring: /usr/bin/archlinux-keyring-wkd-sync exists in filesystem
archlinux-keyring: /usr/lib/systemd/system/archlinux-keyring-wkd-sync.service exists in filesystem
archlinux-keyring: /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer exists in filesystem
archlinux-keyring: /usr/lib/systemd/system/timers.target.wants/archlinux-keyring-wkd-sync.timer exists in filesystem
archlinux-keyring: /usr/share/pacman/keyrings/archlinux-revoked exists in filesystem
archlinux-keyring: /usr/share/pacman/keyrings/archlinux-trusted exists in filesystem
archlinux-keyring: /usr/share/pacman/keyrings/archlinux.gpg exists in filesystem
Errors occurred, no packages were upgraded.
[INFO] Remove temporary directory: /tmp/tmp.0VYk0PxupA
removed '/tmp/tmp.0VYk0PxupA/pacman.conf'
removed '/tmp/tmp.0VYk0PxupA/archlinux-keyring-20240609-1-any.pkg.tar.zst'
removed '/tmp/tmp.0VYk0PxupA/gnupg-2.4.5-1-x86_64.pkg.tar.zst'
removed '/tmp/tmp.0VYk0PxupA/manjaro-keyring-20230719-2-any.pkg.tar.xz'
rmdir: removing directory, '/tmp/tmp.0VYk0PxupA'
[INFO] Switch to a local mirror by Geolocation
::INFO Downloading mirrors from Manjaro
::INFO => Mirror pool: https://repo.manjaro.org/mirrors.json
::INFO => Mirror status: https://repo.manjaro.org/status.json
::INFO User generated mirror list
::------------------------------------------------------------
::INFO Custom mirror file saved: /var/lib/pacman-mirrors/custom-mirrors.json
::INFO Using default mirror file
::INFO Querying mirrors - This may take some time
  ..... United_States  : http://mirror.fcix.net/manjaro/
  ..... United_States  : https://nnenix.mm.fcix.net/manjaro/
  ..... United_States  : https://irltoolkit.mm.fcix.net/manjaro/
  ..... United_States  : https://uvermont.mm.fcix.net/manjaro/
  ..... United_States  : https://repo.ialab.dsu.edu/manjaro/
  ..... United_States  : https://mirrors.ocf.berkeley.edu/manjaro/
  ..... United_States  : https://mirror.math.princeton.edu/pub/manjaro/
  ..... United_States  : https://mnvoip.mm.fcix.net/manjaro/
  ..... United_States  : https://forksystems.mm.fcix.net/manjaro/
  ..... United_States  : https://codingflyboy.mm.fcix.net/manjaro/
  ..... United_States  : https://coresite.mm.fcix.net/manjaro/
  ..... United_States  : https://ridgewireless.mm.fcix.net/manjaro/
  ..... United_States  : https://opencolo.mm.fcix.net/manjaro/
  ..... United_States  : https://southfront.mm.fcix.net/manjaro/
  ..... United_States  : https://volico.mm.fcix.net/manjaro/
  ..... United_States  : https://ohioix.mm.fcix.net/manjaro/
  ..... United_States  : https://mirrors.sonic.net/manjaro/
  ..... United_States  : https://mirrors.gigenet.com/manjaro/
  ..... United_States  : https://nocix.mm.fcix.net/manjaro/
  ..... United_States  : https://ask4.mm.fcix.net/manjaro/

::ERROR Connection: HTTPSConnectionPool(host='ask4.mm.fcix.net', port=443): Max retries exceeded with url: /manjaro/stable/core/x86_64/core.db.tar.gz (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7f1b6c6e10>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

::INFO Writing mirror list
::United_States   : https://repo.ialab.dsu.edu/manjaro/stable
::United_States   : https://mirror.math.princeton.edu/pub/manjaro/stable
::United_States   : https://uvermont.mm.fcix.net/manjaro/stable
::United_States   : https://nnenix.mm.fcix.net/manjaro/stable
::United_States   : http://mirror.fcix.net/manjaro/stable
::United_States   : https://irltoolkit.mm.fcix.net/manjaro/stable
::United_States   : https://mirrors.ocf.berkeley.edu/manjaro/stable
::United_States   : https://ohioix.mm.fcix.net/manjaro/stable
::United_States   : https://mirrors.gigenet.com/manjaro/stable
::United_States   : https://forksystems.mm.fcix.net/manjaro/stable
::United_States   : https://coresite.mm.fcix.net/manjaro/stable
::United_States   : https://nocix.mm.fcix.net/manjaro/stable
::United_States   : https://southfront.mm.fcix.net/manjaro/stable
::United_States   : https://volico.mm.fcix.net/manjaro/stable
::United_States   : https://codingflyboy.mm.fcix.net/manjaro/stable
::United_States   : https://opencolo.mm.fcix.net/manjaro/stable
::United_States   : https://ridgewireless.mm.fcix.net/manjaro/stable
::United_States   : https://mirrors.sonic.net/manjaro/stable
::United_States   : https://mnvoip.mm.fcix.net/manjaro/stable
::INFO Mirror list generated and saved to: /etc/pacman.d/mirrorlist
::INFO Downloading mirrors from Manjaro
::INFO => Mirror pool: https://repo.manjaro.org/mirrors.json
::INFO => Mirror status: https://repo.manjaro.org/status.json
::INFO Using custom mirror file
::INFO Querying mirrors - This may take some time
  ..... United_States  : https://mirrors.gigenet.com/manjaro/
  ..... United_States  : https://mirrors.ocf.berkeley.edu/manjaro/
  ..... United_States  : https://nocix.mm.fcix.net/manjaro/
  ..... United_States  : https://codingflyboy.mm.fcix.net/manjaro/
  ..... United_States  : https://ask4.mm.fcix.net/manjaro/
::INFO Writing mirror list
::United_States   : https://mirrors.gigenet.com/manjaro/stable/$repo/$arch
::United_States   : https://nocix.mm.fcix.net/manjaro/stable/$repo/$arch
::United_States   : https://codingflyboy.mm.fcix.net/manjaro/stable/$repo/$arch
::United_States   : https://ask4.mm.fcix.net/manjaro/stable/$repo/$arch
::United_States   : https://mirrors.ocf.berkeley.edu/manjaro/stable/$repo/$arch
::INFO Mirror list generated and saved to: /etc/pacman.d/mirrorlist
[INFO] Refresh GnuPG Database of pacman from the Internet
[QUESTION] Do you want to continue? [Yy/Nn] (Note that this can take a while.)
> [Yy/Nn] y
[INFO] Performing a full upgrade with pacman
[QUESTION] Do you want to continue? [Yy/Nn] (Be aware that a full upgrade needs enough ram on a live session)
> [Yy/Nn] y
:: Synchronizing package databases...
 core                                                                             140.0 KiB   690 KiB/s 00:00 [------------------------------------------------------------------] 100%
 extra                                                                              8.3 MiB  16.0 MiB/s 00:01 [------------------------------------------------------------------] 100%
 multilib                                                                         144.7 KiB   713 KiB/s 00:00 [------------------------------------------------------------------] 100%
:: Starting full system upgrade...
 there is nothing to do
[INFO] Done. Note that you need to refresh the database for pamac also.
    ~  pamac update                                                                                                                                                  ✔  5m 2s  
Preparing...
Synchronizing package databases...
Checking integrity...                                                                                                                                                                  
cp: preserving times for '/var/tmp/pamac/dbs/sync': Operation not permitted                                                                                                            
chmod: changing permissions of '/var/tmp/pamac/dbs/sync': Operation not permitted
Nothing to do.
Transaction successfully finished.

There were no pkgs to update because when I removed thunderbird the last time I updated, the update did succeed.

I did try to update the thunderbird pkg and it did fail for the same reason as last time:

rror: thunderbird: signature from "Leonidas Spyropoulos (Arch Linux Packager key) <artafinde@archlinux.org>" is unknown trust

SO, two questions:

  1. What can I try next?
  2. The output from the scripts says:
[INFO] Done. Note that you need to refresh the database for pamac also.

How do I “refresh the database for pamac also”?

Thanks for your time and help.

14 
pamac update --force-refresh
15

Hi,

I have try everything and still get the pgp errors, what’s missing?

16

Show your work - no screenshots, please!
Create your own thread for your own issue.

1 Like