Issues with "signature is marginal trust" or "invalid or corrupted package"

faq

#1

If you’re getting an error similar to “Can’t update: signature from *** is marginal trust” or “invalid or corrupted package” you probably just need to update your package signing keys:

sudo pacman -Sy archlinux-keyring manjaro-keyring
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys

If one fails, try the next then retry, and once all succeed retry the update.

If these still don’t work, check this thread: Issues with “signature is marginal trust” or “invalid or corrupted package”


New install - first update fails
[SOLVED] Invalid or corrupted package (error message after fresh install)
Can't update fresh system install
Key “Daniel Isenmann daniel@archlinux.org” is disabled
Calligra key issue
Upgrade fails
Pacman reporting package is corrupted
Pacman reporting corrupted pgp again
Updating Error
[Bspwm] v17.1.7 stable isos released
Blender 2.78
Hplip-plugin 'invalid signature
New installation Key issue update ongoing
Installing Blender causes errors with signatures
Blender install error in Manjaro 17.0.6
Error: GPGME error: No data followed by error: failed retrieving file 'core.db' from mirror.etc.de : The requested URL returned error: 404
Unable to upgrade manjaro
"invalid or corrupted packages" at update with no further details
[Stable Update] 2018-06-10 - Kernels, KDE Apps, LibreOffice, Firefox, GCC, Gambas, Deepin
Invalid or corrupt package
XFCE Update Won't proceed, invalid or corrupted package (PGP signature)
Erro na Atualização - Pacote corrompido
[Testing Update] 2018-08-09 - Kernels, Python 3.7, Perl 5.28, LibreOffice, Nvidia, Xorg-Server, Deepin
#2

#3

#4

3 posts were split to a new topic: Gpg: invalid radix64 character * skipped


Gpg: invalid radix64 character * skipped
#5

If --refresh-keys doesn’t work (for whatever reason) try:

sudo pacman-key --refresh-keys --keyserver pgp.mit.edu

This uses a different keyserver than the default so might work better depending on your internet connection.


If you still can’t update, try updating your package mirrors too, before finally updating all packages:

sudo pacman-mirrors -f0
sudo pacman -Sy archlinux-keyring manjaro-keyring
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
sudo pacman -Syyu

If you have any other errors, there’s the “nuclear option”:

sudo rm -fr /etc/pacman.d/gnupg
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
sudo pacman -Syyu

If you’re installing an AUR package a PGP key can be used to verify the source files. You will need to import this into your personal keyring before it can be verified. If you don’t you’ll get an error similar to:

[...]
llvm-5.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxx-5.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxxabi-5.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
[...]

To “fix” this, simply import the key:

gpg --recv-key 0FC3042E345AD05D


GPG Permission Denied
Manjaro KDE - pacman ALWAYS crashes since an update failed
Signature from "Antonio Rojas <arojas@archlinux.org>" is invalid
Installing Blender causes errors with signatures
Not able to install blender on 17.06
"Invalid URL" with manjaro-tools
XFCE Update Won't proceed, invalid or corrupted package (PGP signature)
Unable to update or install packages, cannot retrieve keys. (KDE edition)
New Manjaro32 installation not taking
#6

Just to quote myself from another thread:


#7

I use Manjaro since the 0.8.xx version. So basically almost from the beginning, I swithced from Ubuntu in 2012. There is never be a problem like this for ages. But about 2 years ago it started doing this “key-problem”. First it seems it just a little “bug”. It happened very rarely, once or twice. But nowadays EVERY. SINGLE. TIME. I perform update there is always errors. Few times it was IMPOSSIBLE to solve it, and I have to download the .iso of the new version, make boot media from it, and install it from scratch!
And there is not just this key-thingy, few times after an update, when I reboot -or turn off and turn on the next day- my computer, the system not started. I can’t even get a command prompt, and I have to delete the whole system, and reinstall it. (I did not lose any personal data, because I plugged the HDD to another computer and can save them.) This was the worst that ever happened to me, using any Linux.

So, why I didn’t switch to another linux?
I have an old hardware, newer linux variants are extremely slow (IMO, because of those fancy looking CPU hungry, nonsense, useless programs and desktops) and thats the reason I need to use lightweight Linux. I find Manjaro performs the best, and it has got all programs that I ever need, by default. And I was very happy with my Manajro for years. But now…It’s getting worse with every update.

Now I always update manually, and set the update check frequency as long as possible.
And it seems, it’s a big problem, and causing bugs, like Jonathon said in the previous post.
I think this is not really the fault of the user if someone “skip” an update.
I think it is a SERIOUS BUG in this whole rolling release system then!

My few questions are:
WHY nobody fix this issue with the rolling release system (IF the problem is really that…)?
Or, why Manjaro can not update those keys automatically, why we need to do this manually?
So, Manjaro does not perform key database update, or why, if I not “skip” and update, this bug not come out, but if I don’t update all the time this bug happens?
Something quite not right here…

P.S.1: Right now, because of curiosity, I get my old laptop that I use very rarely (approx. once in every 2-3 month). It has Manjaro 17.0.2 on it and I tried to update that. Same thing, error with keys.
I realized after executed the first command, those packages (archlinux-keyring manjaro-keyring) DOESN’T EVEN EXIST ON THAT SYSTEM, it was never installed…
Now, how about that!?


#8

If you don’t update the keyring packages when there are updates for the keyring packages then you’re going to get keyring issues. This is the root cause of all of these issues - it’s user error, not an error in the packages or Manjaro or Arch or the rolling release model.

This is pretty much what I said in the post above.

If you don’t want the security of signed packages you can edit your /etc/pacman.conf and disable signature checking. On the other hand, if you want signed packages you have to deal with package signing keys.


#9

Million thanks for the answer.

I still have things that not clear to me.
You said “If you don’t update the keyring packages when there are updates”…

When the weekly (that I set) update check finds ANYTHING, I always update, so in theory I get ALL the update that come out at that week.Maybe one thing come out in monday, other package updated in friday , if I update in saturday I get all update, right? If the keyring is updated i must get it, or isn’t?
Or we have to always update it manually?


#10

What should happen is that the keyring packages are updated before other packages (they’re in syncfirst). However, if you have a partially-synced mirror, which e.g. has an older [core] but newer [extra], the packages in [extra] may be signed by a key that’s not in the older keyring package. Hence, the keyrings need to be updated before the package signer will be recognised.


#11

Thanks. If I understand it correctly, this keyring “bug” is has got something to do with the mirrors.
So, if I choose another mirror, maybe it can resolve this problem?


#12

I’m just another Manjaro user, not on the Manjaro staff, so I’m only commenting in that capacity. I’ve found that if you use a distro modelled on “rolling releases”, it really behooves you to check for updates on at least a weekly basis. Not to do so will lead to the sort of synchronization problems you are running into with keys and unresolved dependencies, etc. If you are looking for more stability than that, or don’t have the time or proclivity to do frequent updates, you should use another distro, such as Debian / Devuan, or one of their derivatives, which don’t generally ascribe to rolling releases, and certainly update much less frequently than Arch based distros. The downside of those distributions is that when a major update comes about every few years, you’ll usually need to have some significant downtime to do a major upgrade/reinstall. That’s just my experience as an end user these days.


#13

One other suggestion - Manjaro’s “pacman-mirrors” command is your friend. It can be used to regularly optimize your mirrors data file with those which are most in sync and/or geographically close to your location, entailing less network hops and greater speed and reliability. I do a “pacman-mirrors --geo” on a regular basis.


#14

OK so I had this error trying to instal libc++:

[...]
llvm-5.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxx-5.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
libcxxabi-5.0.0.src.tar.xz ... FAILED (unknown public key 0FC3042E345AD05D)
[...]

I tried so many times updating the package signing keys but I still get this error


Unable to install Discord/libc++ through AUR due to PGP? errors
#15

That’s because you’re installing from the AUR, not installing a repo package.

In this case, a PGP key is being used to check the validity of downloaded source archives, and you don’t have the PGP key in your personal keyring, so makepkg can’t check the validity of the signature.

Assuming you trust the key, to resolve the issue add the key to your personal keyring:

gpg --recv-key 0FC3042E345AD05D

For anyone else reading this: remember that the AUR is not part of Manjaro, it’s a place that provides community-submitted packaging files that can be used by Arch-like distros. As such, you should check the packaging files before using them.


#16

Solved! Thank you!


#17

Sometimes it works, sometimes not.

Interestingly, before I posted that, back at Nov 19. I several times tried that, but it doesn’t worked. (I always keep unlimited bash history, so totally sure I done that several times and done that correctly.)
Today I tried that again and now it worked, now I can update the system on all those computers, that didn’t worked at that time.

How it can be?


#18

Most likely an out-of-date mirror.


#19

Thanks for the suggestion to change distro to Debian, curtvaughan, but that suggestion is totally useless, and unnecessary to me.

You already take the time and read my post and replay to it, thaks for that, but please look more carefully next time. You can save your own time.

From my orginal post:
“I swithced from Ubuntu”
“I have an old hardware, newer linux variants are extremely slow.”

Maybe it’s not that clear, but it means that my computer can not handle those, mostly bloated, Debian distros. Over the years I tried several different based distros, that’s how I find out, an Arch-based distro combined with XFCE desktop is performs the best on all my old computers.


#20

Can you describe what that is exactly mean?
In previous post you said, it can be because of “partially-synced mirror”, now you said “out-of-date mirror.”

When performig a full system update,doesn’t that update the mirrors before starting the update process? And does’t it update the PGP signatures?