Is archlinux-keyring-wkd-sync.timer necessary on Manjaro?

stargazer · 19 October 2022 03:44

When an update is done on Manjaro, the first step is always an update of the archlinux-keyring and manjaro-keyring. Is it necessary to run then the systemd timer archlinux-keyring-wkd-sync.timer on Manjaro?

Additional information

The timer came to light because it was failing. The upgrade 21.3.7-1 → 22.0.0pre2-1 seemed to introduce a new systemd timer, archlinux-keyring-wkd-sync.time. It was failing. The upgrade 22.0.0pre2-1 → 22.0.0pre3-1 seems to have fixed it.

Package: archlinux-keyring 20220831-1, 20220927-1

The error:

archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'

Error at arch forum
Added at gitlab.archlinux

Commands:

systemctl list-timers
systemctl list-units --failed
journalctl -g archlinux-keyring-wkd-sync
pacman -Fx archlinux-keyring-wkd-sync

zbe · 19 October 2022 04:32

It’s a part of a necessary package, so in this regard, yes, it’s necessary.

# Update all locally existing PGP keys in pacman's gnupg keyring, that are
# relevant for Arch Linux packaging using the distribution's Web Key Directory
# (WKD).
# This ensures, that new signatures on already existing keys are fetched before
# a new version of archlinux-keyring is installed. Fetching signatures early
# prevents marginal trust issues with packages that are signed by keys which
# only gain full trust when updating to a new version of archlinux-keyring in
# that same system upgrade action.

I bet you’ll see one for manjaro-keyring soon enough.

Yochanan · 19 October 2022 14:55

Are there any errors running it directly?

sudo archlinux-keyring-wkd-sync

stargazer · 20 October 2022 03:00

Yes, failed. Return code 2.

I manually ran the service that is listed in the systemd timers and it indeed showed the failed unit, again. So I guess not fixed. But you are probably correct script that is failing.

Last 3 lines of the script’s execution:

Refreshing key B8151B117037781095514CA7BBDFFC92306B1121 with UID andrew@archlinux.org...
gpg: error retrieving 'andrew@archlinux.org' via WKD: No data
gpg: error reading key: No data

MrDuck · 25 October 2022 19:43

Potential fix on Arch forums:

“archlinux-keyring-wkd-sync.service constantly failing”

If we change line 58 of /usr/bin/archlinux-keyring-wkd-sync from:

"${gpg_locate_external[@]}" "${fpr_email[1]}"

to:

"${gpg_locate_external[@]}" "${fpr_email[1]}" || true

… then the script will continue to process the remaining keys without error.

stargazer · 26 October 2022 01:37

Changing set -eu to set -u would achieve similar results.

A better approach might be to capture the nonzero return codes from the command execution and then at the very end the script could report that one or more failures occurred, but all other keys were updated.

That’s a whole lot of output to be writing to the journal.

stargazer · 26 October 2022 02:05

Maybe a non-issue.

Remove WKD sync service once pacman syncs existing keys natively

The script/service/timer added in !138 (merged) updates existing keys on user systems outside the context of doing updates with pacman. This is because pacman currently only has the capability of retrieving non-existing keys (e.g. from WKD), when it encounters a signature of an unknown key, but does not retrieve an updated key for existing keys, when encountering invalid signatures.

Once pacman is able to update existing keys natively (using gpgme), we need to drop the script, service and timer again.
Remove WKD sync service once pacman syncs existing keys natively (#187) · Issues · Arch Linux / Arch Linux Keyring · GitLab

system · 28 October 2022 16:06

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.