Maintainer pgp keys expired

I have suddenly noticed that I can’t update core packages. After following every bit of advice here Pacman troubleshooting - Manjaro I had a look with gpg directly and noticed that reinstalling the keyring(s) is of no use, because the keys are expired as of today (02. August 2021).

sudo gpg --homedir /etc/pacman.d/gnupg --edit-key helmut.stult@schinfo.de

pub  rsa4096/CEE477135C5872B0
     created: 2018-02-15  expired: 2021-08-02  usage: SC  
     trust: marginal      validity: expired

and

sudo gpg --homedir /etc/pacman.d/gnupg --edit-key brett@i--b.com  
[sudo] password for tom: 

pub  ed25519/A06B49470F8E620A
     created: 2018-10-03  expired: 2021-08-02  usage: SC  
     trust: unknown       validity: expired

Is this a known issue, that will fix itself, or do I need to perform a step not mentioned in the wiki?

4 Likes

What is the error message that you see when you want to update?

You can use
sudo pacman-key --refresh-keys to refresh the keys from the keyserver. For both keys you mentioned, there should be new valid versions available.

Helmut’s key does not have an expire date on my end, but Brett’s do, and it has expired.

After refreshing the keys, you’ll see that Brett updated it: Search results for 'brett@i--b.com'

2 Likes

So yeah, running sudo pacman-key --refresh-keys --keyserver hkps://keyserver.ubuntu.com should fix it.

Yeah, it seems Helmut has a slight problem with the keys. The keyserver now lists only outdated keys. I guess he misconfigured the expiration date and accidentally typed 2021 instead of 2022.

Currently, I can’t install hd-probe because of this.

1 Like

Hmm - refreshing with keyserver.ubuntu.com does not fix this for me, and there are more keys invalid/untrusted, the two mentioned were just examples.

I had problems in the past, but then the normal dance of refreshing/reinstalling/repopulating the keybase worked as expected, this time nothing of the normal steps changes the situation.

Hmm again, refreshing with gpg directly

sudo gpg --homedir /etc/pacman.d/gnupg --refresh-keys

did fetch changes to bretts key (fully valid now, no longer expired, but trust is unkown), as for @nightmare-2021 and @mithrial helmuts key stays expired – I’ll check back tomorrow to see if the situation changed somehow.

1 Like

From the link in my previous post, you can see the “live” status of the key. Pacman will fetch from this linked source, so unless this specific user publishes a new key there, packages signed by this user with the old key won’t work.

In order to fix this, you must not refresh the keys manually. Apparently, the user locally changed the key to expire on Aug. 2 and published this expiration date change to the keyserver.

Remove the /etc/pacman.d/gnupg folder and follow the instructions in the Wiki: Pacman troubleshooting - Manjaro to start new.

After I reset the keys, I was able to install today’s testing updates which was not possible before.

1 Like

pacman -Syu fails with:

signature from "Brett Cornwall <brett@i--b.com>" is unknown trust

pacman-key -l Brett   
pub   ed25519 2018-10-03 [SC] [verfallen: 2021-08-02]
  BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A
uid        [ verfallen ] Brett Cornwall <brett@i--b.com>

The keys are updated doing this:

rm -rf /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate archlinux manjaro

On my system are infected …

  • cherrytree
  • chrono-date
  • spdlog
  • waybar
1 Like

I have this problem too. I went and upgraded my system using the --ignore switch for pacman (pacman -Syu --ignore [comma seperated list]) to ignore cherrytree and some other packages including linux510. List is below. Now I can’t install or run those packages. I’m going to try rebooting now because I still see files for my kernel in /boot. Not sure if I did something rash, I just wanted to install a package (libaacs) and I felt blocked.

SNIP
(6/6) checking package integrity                   [##################] 100%
error: cherrytree: signature from "Brett Cornwall <brett@i--b.com>" is unknown trust
:: File /var/cache/pacman/pkg/cherrytree-0.99.39-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: libxnvctrl: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/libxnvctrl-470.57.02-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: linux510: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/linux510-5.10.53-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: linux54: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/linux54-5.4.135-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: snapd: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/snapd-2.51.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: xapp: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/xapp-2.2.3-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
# uname -r
5.4.134-1-MANJARO

Well you’re lucky. I have core packages from Helmet not installable or upgradable anymore.

error: linux54: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" 

^^^ I need this package and I can boot into Manjaro with it still but this seems a little serious. Anybody else have this problem? Also I couldn’t get cherrytree to run at all now it bombs with an error so removed it.

Can you please try the post above yours as that seems to provide a solution and feed back, please? (cc @sombunall )

If that works for both of you, then we can mark that one as a solution…

:crossed_fingers:

Hi All, I am having the same issue with the 428F7ECC7117F726, key. I’ve tried the steps listed on the wiki link above.

The second step fails due to the keys not being initialized.

I’ve skipped it and ran the other steps to reinitialize the keys which pulls the expired key again. the new keys are signed by the expired key so I’m unable to install them as well.

I am having similar issues and have tried the solution suggested in the above post by @mithrial which has failed. Specifically:

Step 2 - Reinstalling keyrings including the latest keys failed with:

warning: Public keyring not found; have you run ‘pacman-key --init’?
downloading required keys…
error: keyring is not writable
error: keyring is not writable
error: keyring is not writable
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.

Therefore I ran

pacman-key -init

as suggested (which is step 3 in the trouble shooting guide)

Ran Step 2 again with the errors such as:

error: gnupg: signature from “Levente Polyak anthraxx@archlinux.org” is unknown trust
:: File /var/cache/pacman/pkg/gnupg-2.2.29-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

Completed the remaining steps in the trouble shooting guide but issues remain and unable to upgrade.

I hope I’ve provided sufficient information in an appropriate format.

Thanks in advance

The problem is refreshing all keys. Brett’s key is good and published in a good state, so you could and should update his key. Helmut’s key, however, is not valid on the keyserver but only from the repos keyring package.

Yikes, I tried that and the other workarounds suggested in this thread (aside from the date hacking – that just seemed a bridge too far) and nothing has worked for me, Helmut and Brett’s keys are still of unknown trust.

Not sure I’ve seen the keyring this busted since signing came to Arch…

1 Like

I just updated the archlinux-keyring package also on stable branch. All the packages by Helmut should have replaced signatures from our Build-Server. Simply delete Helmut’s signatures from /var/cache/pacman/pkg and redownload the replacements.

1 Like

Thanks @philm, it’s still not working for me but I think I just need to wait for the package to propagate to my mirror… Looks like the US mirrors are all partially out of date at the moment (from https://repo.manjaro.org/):

I tried:

sudo rm -rf /var/cache/pacman/pkg/
sudo pacman -Syy archlinux-keyring  # this got me to 20210616-1
sudo pacman -Syu

Does that look about right?

1 Like