Error: archlinux-keyring: signature from is unknown trust

Support System Updates
1

This is my daily driver and I update every time there are available updates so it was not far out of date. I had issues with the last stable update 7/16/2024 using:
sudo pacman -Syu
and
sudo pacman -Syyu
and I updated my mirrors list and
ran pamac update as well:
Error: Failed to commit transaction: invalid or corrupted package (PGP signature):

and I resolved it by using the
SigLevel = Never solution, but on this release, the problem is back.

I do not want to circumvent Signatures for my updates going forward due to security constraints.

(218/218) checking keys in keyring                                 [####################################] 100%
(218/218) checking package integrity                               [####################################] 100%
error: linux-api-headers: signature from "Frederik Schwan <freswa@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/linux-api-headers-6.10-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 

error: zsh-history-substring-search: signature from "T.J. Townsend <blakkheim@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/zsh-history-substring-search-1.1.0-2-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

I think this may be the issue:

sudo pacman -S archlinux-keyring                                                            ξ‚² 1 ✘ 
warning: archlinux-keyring-20240709-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20240709-1

Total Installed Size:  1.67 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring                                     [####################################] 100%
(1/1) checking package integrity                                   [####################################] 100%
error: archlinux-keyring: signature from "Christian Hesse <eworm@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/archlinux-keyring-20240709-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] Y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

I’ve tried changing the pacman.con setting SigLevel = Required DatabaseNever and then running as specified in this link: [root tip] [How To] Mitigate and prevent GPGME error when syncing your system
but that did not work.

I also tried and succeeded with:

sudo pacman-key --populate manjaro                                                  ξ‚² 1 ✘ ξ‚² 49s ο‰’ 
==> Appending keys from manjaro.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 3 keys.
==> Importing owner trust values...
==> Updating trust database...
gpg: next trustdb check due at 2026-08-21

Any help would be greatly appreciated!

2

Have you tried using this script?

3

You may want to clear your cache if an unknown number of the packages are corrupted.

sudo pacman -Sc

You could alternatively target the few with issues, ex:

paccache -rvk0 archlinux-keyring manjaro-keyring

Or

sudo rm /var/cache/pacman/pkg/*keyring*

Now for the download and apply bits, done semi-manually;
Get packages:

curl -O https://mirror.easyname.at/manjaro/pool/sync/archlinux-keyring-20240709-1-any.pkg.tar.zst
curl -O https://mirror.easyname.at/manjaro/pool/overlay/manjaro-keyring-20230719-3-any.pkg.tar.zst

Remove old keys:

sudo rm -r /etc/pacman.d/gnupg

Init keyring:

sudo pacman-key --init

Install the packages we downloaded:

sudo pacman -U manjaro-keyring*.pkg.tar.zst archlinux-keyring*.pkg.tar.zst

Populate keys:

sudo pacman-key --populate manjaro archlinux

And then of course see how are the things. We can include a mirror sort for extra giggles:

sudo pacman-mirrors --continent 
sudo pacman -Syu
2 Likes
4 
sudo pacman -Sc                                                                               ξ‚² βœ” 
[sudo] password for admin: 
Packages to keep:
  All locally installed packages

Cache directory: /var/cache/pacman/pkg/
:: Do you want to remove all other packages from cache? [Y/n] Y
removing old packages from cache...

Database directory: /var/lib/pacman/
:: Do you want to remove unused repositories? [Y/n] Y
removing unused sync repositories...

sudo rm -r /etc/pacman.d/gnupg

sudo pacman-key --init                                                                        ξ‚² βœ” 
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/ADD20537D94ADF71C4DAE5F4424232E58EB2C2A5.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

sudo pacman -U manjaro-keyring-20230719-3-any.pkg.tar.zst                                     ξ‚² βœ” 
loading packages...
warning: manjaro-keyring-20230719-3 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) manjaro-keyring-20230719-3

Total Installed Size:  0.09 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring                                     [####################################] 100%
(1/1) checking package integrity                                   [####################################] 100%
(1/1) loading package files                                        [####################################] 100%
(1/1) checking for file conflicts                                  [####################################] 100%
(1/1) checking available disk space                                [####################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) reinstalling manjaro-keyring                                 [####################################] 100%
==> Appending keys from manjaro.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 18 keys.
==> Importing owner trust values...
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
==> Disabling revoked keys in keyring...
  -> Disabled 8 keys.
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:  15  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  15  signed:   0  trust: 0-, 0q, 0n, 15m, 0f, 0u
gpg: next trustdb check due at 2026-08-21
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Refreshing PackageKit...

And this appears to be where things break down.

sudo pacman -U archlinux-keyring-20240709-1-any.pkg.tar.zst                                   ξ‚² βœ” 
loading packages...
error: could not open file archlinux-keyring-20240709-1-any.pkg.tar.zst: Unrecognized archive format
error: 'archlinux-keyring-20240709-1-any.pkg.tar.zst': cannot open package file

I removed the archlinux-keyring-20240709-1-any.pkg.tar.zst download and retried with the same error.

I tried this command as well:

sudo pacman-key --populate archlinux                                                          ξ‚² βœ” 
==> ERROR: The keyring file /usr/share/pacman/keyrings/archlinux.gpg does not exist.

Thank you for your help @cscs !

5

Did you skip the following commands given by @cscs

curl -O https://mirror.easyname.at/manjaro/pool/overlay/archlinux-keyring-20240709-1-any.pkg.tar.zst
curl -O https://mirror.easyname.at/manjaro/pool/overlay/manjaro-keyring-20230719-3-any.pkg.tar.zst
1 Like
6

@Wollie sorry- I did download both of the new keyring files and the manjaro-keyring-20230719-3-any.pkg.tar.zst installed properly.

curl -O https://mirror.easyname.at/manjaro/pool/overlay/archlinux-keyring-20240709-1-any.pkg.tar.zst
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   281  100   281    0     0    227      0  0:00:01  0:00:01 --:--:--   227

I just ran it again using the curl downloaded file:

sudo pacman -U manjaro-keyring-20230719-3-any.pkg.tar.zst                                   ξ‚² 1 ✘ 
loading packages...
warning: manjaro-keyring-20230719-3 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) manjaro-keyring-20230719-3

Total Installed Size:  0.09 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring                                     [####################################] 100%
(1/1) checking package integrity                                   [####################################] 100%
(1/1) loading package files                                        [####################################] 100%
(1/1) checking for file conflicts                                  [####################################] 100%
(1/1) checking available disk space                                [####################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) reinstalling manjaro-keyring                                 [####################################] 100%
==> Appending keys from manjaro.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 3 keys.
==> Importing owner trust values...
==> Updating trust database...
gpg: next trustdb check due at 2026-08-21
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Refreshing PackageKit...

archlinux keyring still fails

sudo pacman -U archlinux-keyring-20240709-1-any.pkg.tar.zst                                   ξ‚² βœ” 
loading packages...
error: could not open file archlinux-keyring-20240709-1-any.pkg.tar.zst: Unrecognized archive format
error: 'archlinux-keyring-20240709-1-any.pkg.tar.zst': cannot open package file
7
  • Incorrect
    • https://mirror.easyname.at/manjaro/pool/overlay/archlinux-keyring-20240709-1-any.pkg.tar.zst
  • Correct
    • https://mirror.easyname.at/manjaro/pool/sync/archlinux-keyring-20240709-1-any.pkg.tar.zst
2 Likes
8

Thank you @Takakage . I’ve downloaded that package successfully and am now getting the below error:

sudo pacman -U manjaro-keyring*.pkg.tar.zst archlinux-keyring*.pkg.tar.zst                    ξ‚² βœ” 

loading packages...
warning: manjaro-keyring-20230719-3 is up to date -- reinstalling
warning: archlinux-keyring-20240709-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (2) archlinux-keyring-20240709-1  manjaro-keyring-20230719-3

Total Installed Size:  1.76 MiB
Net Upgrade Size:      1.67 MiB

:: Proceed with installation? [Y/n] Y
(2/2) checking keys in keyring                                     [####################################] 100%
(2/2) checking package integrity                                   [####################################] 100%
(2/2) loading package files                                        [####################################] 100%
(2/2) checking for file conflicts                                  [####################################] 100%
error: failed to commit transaction (conflicting files)
archlinux-keyring: /usr/bin/archlinux-keyring-wkd-sync exists in filesystem
archlinux-keyring: /usr/lib/systemd/system/archlinux-keyring-wkd-sync.service exists in filesystem
archlinux-keyring: /usr/lib/systemd/system/archlinux-keyring-wkd-sync.timer exists in filesystem
archlinux-keyring: /usr/lib/systemd/system/timers.target.wants/archlinux-keyring-wkd-sync.timer exists in filesystem
Errors occurred, no packages were upgraded.
9

Sorry about the faulty second URL - it is corrected now.

For the conflicting files - if you did not manually create files from outside the package manager this could be a result of the fragmentation etc.

So - we can remove the files first (they will be replaced on package install) or use overwrite, ex:

sudo pacman -U manjaro-keyring*.pkg.tar.zst

sudo pacman -U archlinux-keyring*.pkg.tar.zst --overwrite '/usr/*'
1 Like
10 
sudo pacman -U manjaro-keyring*.pkg.tar.zst                                                 ξ‚² 1 ✘ 
[sudo] password for admin: 
loading packages...
warning: manjaro-keyring-20230719-3 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) manjaro-keyring-20230719-3

Total Installed Size:  0.09 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring                                     [####################################] 100%
(1/1) checking package integrity                                   [####################################] 100%
(1/1) loading package files                                        [####################################] 100%
(1/1) checking for file conflicts                                  [####################################] 100%
(1/1) checking available disk space                                [####################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) reinstalling manjaro-keyring                                 [####################################] 100%
==> Appending keys from manjaro.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 18 keys.
==> Importing owner trust values...
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
==> Disabling revoked keys in keyring...
  -> Disabled 8 keys.
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:  15  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  15  signed:   0  trust: 0-, 0q, 0n, 15m, 0f, 0u
gpg: next trustdb check due at 2026-08-21
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Refreshing PackageKit...

sudo pacman -U archlinux-keyring*.pkg.tar.zst --overwrite '/usr/*'                     ξ‚² βœ” ξ‚² 7s ο‰’ 
loading packages...
warning: archlinux-keyring-20240709-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20240709-1

Total Installed Size:  1.67 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring                                     [####################################] 100%
(1/1) checking package integrity                                   [####################################] 100%
(1/1) loading package files                                        [####################################] 100%
(1/1) checking for file conflicts                                  [####################################] 100%
(1/1) checking available disk space                                [####################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) reinstalling archlinux-keyring                               [####################################] 100%
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 5 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
  -> Disabled 45 keys.
==> Updating trust database...
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:  20  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  20  signed: 101  trust: 0-, 0q, 0n, 20m, 0f, 0u
gpg: depth: 2  valid:  77  signed:  22  trust: 77-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-11-09
:: Running post-transaction hooks...
(1/3) Reloading system manager configuration...
(2/3) Arming ConditionNeedsUpdate...
(3/3) Refreshing PackageKit...

sudo pacman-key --populate manjaro archlinux                                          ξ‚² βœ” ξ‚² 10s ο‰’ 

==> Appending keys from manjaro.gpg...
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 3 keys.
==> Importing owner trust values...
==> Updating trust database...
gpg: next trustdb check due at 2024-11-09

sudo pacman-mirrors --continent                                                               ξ‚² βœ” 
::INFO Downloading mirrors from Manjaro
::INFO => Mirror pool: https://repo.manjaro.org/mirrors.json
::INFO => Mirror status: https://repo.manjaro.org/status.json
::INFO User generated mirror list
::------------------------------------------------------------
::INFO Custom mirror file saved: /var/lib/pacman-mirrors/custom-mirrors.json
::INFO Using default mirror file
::INFO Querying mirrors - This may take some time
  1.335 Canada         : https://mirror.csclub.uwaterloo.ca/manjaro/
  0.740 Canada         : https://mirror.xenyth.net/manjaro/
  0.675 Canada         : https://muug.ca/mirror/manjaro/
  ..... Costa_Rica     : https://mirrors.ucr.ac.cr/manjaro/

::ERROR Connection: HTTPSConnectionPool(host='mirrors.ucr.ac.cr', port=443): Read timed out. (read timeout=4)

  0.466 United_States  : http://mirror.fcix.net/manjaro/
  0.792 United_States  : https://nnenix.mm.fcix.net/manjaro/
  0.242 United_States  : https://ziply.mm.fcix.net/manjaro/
  0.717 United_States  : https://cofractal-ewr.mm.fcix.net/manjaro/
  0.530 United_States  : https://irltoolkit.mm.fcix.net/manjaro/
  1.309 United_States  : https://uvermont.mm.fcix.net/manjaro/
  0.696 United_States  : https://repo.ialab.dsu.edu/manjaro/
  0.511 United_States  : https://mirrors.ocf.berkeley.edu/manjaro/
  0.883 United_States  : https://mirror.math.princeton.edu/pub/manjaro/
  0.612 United_States  : https://mnvoip.mm.fcix.net/manjaro/
  0.847 United_States  : https://forksystems.mm.fcix.net/manjaro/
  0.363 United_States  : https://codingflyboy.mm.fcix.net/manjaro/
  0.624 United_States  : https://coresite.mm.fcix.net/manjaro/
  0.368 United_States  : https://ridgewireless.mm.fcix.net/manjaro/
  0.396 United_States  : https://opencolo.mm.fcix.net/manjaro/
  0.880 United_States  : https://southfront.mm.fcix.net/manjaro/
  1.161 United_States  : https://volico.mm.fcix.net/manjaro/
  0.592 United_States  : https://ohioix.mm.fcix.net/manjaro/
  1.012 United_States  : https://nocix.mm.fcix.net/manjaro/
::INFO Writing mirror list
::United_States   : https://ziply.mm.fcix.net/manjaro/stable
::United_States   : https://codingflyboy.mm.fcix.net/manjaro/stable
::United_States   : https://ridgewireless.mm.fcix.net/manjaro/stable
::United_States   : https://opencolo.mm.fcix.net/manjaro/stable
::United_States   : http://mirror.fcix.net/manjaro/stable
::United_States   : https://mirrors.ocf.berkeley.edu/manjaro/stable
::United_States   : https://irltoolkit.mm.fcix.net/manjaro/stable
::United_States   : https://ohioix.mm.fcix.net/manjaro/stable
::United_States   : https://mnvoip.mm.fcix.net/manjaro/stable
::United_States   : https://coresite.mm.fcix.net/manjaro/stable
::Canada          : https://muug.ca/mirror/manjaro/stable
::United_States   : https://repo.ialab.dsu.edu/manjaro/stable
::United_States   : https://cofractal-ewr.mm.fcix.net/manjaro/stable
::Canada          : https://mirror.xenyth.net/manjaro/stable
::United_States   : https://nnenix.mm.fcix.net/manjaro/stable
::United_States   : https://forksystems.mm.fcix.net/manjaro/stable
::United_States   : https://southfront.mm.fcix.net/manjaro/stable
::United_States   : https://mirror.math.princeton.edu/pub/manjaro/stable
::United_States   : https://nocix.mm.fcix.net/manjaro/stable
::United_States   : https://volico.mm.fcix.net/manjaro/stable
::United_States   : https://uvermont.mm.fcix.net/manjaro/stable
::Canada          : https://mirror.csclub.uwaterloo.ca/manjaro/stable
::INFO Mirror list generated and saved to: /etc/pacman.d/mirrorlist

sudo pacman -Syu
...
 Total (218/218)                       766.7 MiB  27.7 MiB/s 00:28 [####################################] 100%
(218/218) checking keys in keyring                                 [####################################] 100%
(218/218) checking package integrity                               [####################################] 100%
(218/218) loading package files                                    [####################################] 100%
(218/218) checking for file conflicts                              [####################################] 100%
(218/218) checking available disk space                            [####################################] 100%
:: Running pre-transaction hooks...
(1/4) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
(2/4) Removing linux initcpios...
(3/4) Remove DKMS modules
(4/4) Remove Firefox Distribution Settings
:: Processing package changes...
(  1/218) upgrading linux-api-headers                              [####################################] 100%
...

That worked!
Thank you for your persistence, and the advice out there to circumvent the signatures is commonplace, but does not fix the root cause. Hopefully my experience helps someone else.
So what could be built into the update commands to prevent this from happening to others?

11

@Arrababiski - Thank you for providing this link. I didn’t try this script, but would it have corrected the manual archlinux-keyring download and overwrite issue that I encountered?

12

Glad its worked out.

I have found that such issues usually have a network source.
As in the connection is not good somehow.
It could also be that a mirror in use has problems - but it is not exactly widespread.
I have seen comment on the forums somewhere that this seemed to have been a symptom of using the β€˜gobal’ mirrors, but I have not verified those claims.

For whatever its worth here is the mirror status/comparison page

https://repo.manjaro.org/

2 Likes
13

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.