When an update is done on Manjaro, the first step is always an update of the archlinux-keyring and manjaro-keyring. Is it necessary to run then the systemd timer archlinux-keyring-wkd-sync.timer on Manjaro?
Additional information
The timer came to light because it was failing. The upgrade 21.3.7-1 → 22.0.0pre2-1 seemed to introduce a new systemd timer, archlinux-keyring-wkd-sync.time. It was failing. The upgrade 22.0.0pre2-1 → 22.0.0pre3-1 seems to have fixed it.
Package: archlinux-keyring 20220831-1, 20220927-1
The error:
archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'
It’s a part of a necessary package, so in this regard, yes, it’s necessary.
# Update all locally existing PGP keys in pacman's gnupg keyring, that are
# relevant for Arch Linux packaging using the distribution's Web Key Directory
# (WKD).
# This ensures, that new signatures on already existing keys are fetched before
# a new version of archlinux-keyring is installed. Fetching signatures early
# prevents marginal trust issues with packages that are signed by keys which
# only gain full trust when updating to a new version of archlinux-keyring in
# that same system upgrade action.
I bet you’ll see one for manjaro-keyring soon enough.
I manually ran the service that is listed in the systemd timers and it indeed showed the failed unit, again. So I guess not fixed. But you are probably correct script that is failing.
Last 3 lines of the script’s execution:
Refreshing key B8151B117037781095514CA7BBDFFC92306B1121 with UID andrew@archlinux.org...
gpg: error retrieving 'andrew@archlinux.org' via WKD: No data
gpg: error reading key: No data
Changing set -eu to set -u would achieve similar results.
A better approach might be to capture the nonzero return codes from the command execution and then at the very end the script could report that one or more failures occurred, but all other keys were updated.
That’s a whole lot of output to be writing to the journal.
Remove WKD sync service once pacman syncs existing keys natively
The script/service/timer added in !138 (merged) updates existing keys on user systems outside the context of doing updates with pacman. This is because pacman currently only has the capability of retrieving non-existing keys (e.g. from WKD), when it encounters a signature of an unknown key, but does not retrieve an updated key for existing keys, when encountering invalid signatures.