Maintainer pgp keys expired

So yeah, running sudo pacman-key --refresh-keys --keyserver hkps://keyserver.ubuntu.com should fix it.

Yeah, it seems Helmut has a slight problem with the keys. The keyserver now lists only outdated keys. I guess he misconfigured the expiration date and accidentally typed 2021 instead of 2022.

Currently, I can’t install hd-probe because of this.

1 Like

Hmm - refreshing with keyserver.ubuntu.com does not fix this for me, and there are more keys invalid/untrusted, the two mentioned were just examples.

I had problems in the past, but then the normal dance of refreshing/reinstalling/repopulating the keybase worked as expected, this time nothing of the normal steps changes the situation.

Hmm again, refreshing with gpg directly

sudo gpg --homedir /etc/pacman.d/gnupg --refresh-keys

did fetch changes to bretts key (fully valid now, no longer expired, but trust is unkown), as for @nightmare-2021 and @mithrial helmuts key stays expired – I’ll check back tomorrow to see if the situation changed somehow.

1 Like

From the link in my previous post, you can see the “live” status of the key. Pacman will fetch from this linked source, so unless this specific user publishes a new key there, packages signed by this user with the old key won’t work.

In order to fix this, you must not refresh the keys manually. Apparently, the user locally changed the key to expire on Aug. 2 and published this expiration date change to the keyserver.

Remove the /etc/pacman.d/gnupg folder and follow the instructions in the Wiki: Pacman troubleshooting - Manjaro to start new.

After I reset the keys, I was able to install today’s testing updates which was not possible before.

1 Like

pacman -Syu fails with:

signature from "Brett Cornwall <brett@i--b.com>" is unknown trust

pacman-key -l Brett   
pub   ed25519 2018-10-03 [SC] [verfallen: 2021-08-02]
  BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A
uid        [ verfallen ] Brett Cornwall <brett@i--b.com>

The keys are updated doing this:

rm -rf /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate archlinux manjaro

On my system are infected …

  • cherrytree
  • chrono-date
  • spdlog
  • waybar
1 Like

I have this problem too. I went and upgraded my system using the --ignore switch for pacman (pacman -Syu --ignore [comma seperated list]) to ignore cherrytree and some other packages including linux510. List is below. Now I can’t install or run those packages. I’m going to try rebooting now because I still see files for my kernel in /boot. Not sure if I did something rash, I just wanted to install a package (libaacs) and I felt blocked.

SNIP
(6/6) checking package integrity                   [##################] 100%
error: cherrytree: signature from "Brett Cornwall <brett@i--b.com>" is unknown trust
:: File /var/cache/pacman/pkg/cherrytree-0.99.39-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: libxnvctrl: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/libxnvctrl-470.57.02-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: linux510: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/linux510-5.10.53-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: linux54: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/linux54-5.4.135-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: snapd: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/snapd-2.51.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: xapp: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/xapp-2.2.3-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
# uname -r
5.4.134-1-MANJARO

Well you’re lucky. I have core packages from Helmet not installable or upgradable anymore.

error: linux54: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" 

^^^ I need this package and I can boot into Manjaro with it still but this seems a little serious. Anybody else have this problem? Also I couldn’t get cherrytree to run at all now it bombs with an error so removed it.

Can you please try the post above yours as that seems to provide a solution and feed back, please? (cc @sombunall )

If that works for both of you, then we can mark that one as a solution…

:crossed_fingers:

Hi All, I am having the same issue with the 428F7ECC7117F726, key. I’ve tried the steps listed on the wiki link above.

The second step fails due to the keys not being initialized.

I’ve skipped it and ran the other steps to reinitialize the keys which pulls the expired key again. the new keys are signed by the expired key so I’m unable to install them as well.

I am having similar issues and have tried the solution suggested in the above post by @mithrial which has failed. Specifically:

Step 2 - Reinstalling keyrings including the latest keys failed with:

warning: Public keyring not found; have you run ‘pacman-key --init’?
downloading required keys…
error: keyring is not writable
error: keyring is not writable
error: keyring is not writable
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.

Therefore I ran

pacman-key -init

as suggested (which is step 3 in the trouble shooting guide)

Ran Step 2 again with the errors such as:

error: gnupg: signature from “Levente Polyak anthraxx@archlinux.org” is unknown trust
:: File /var/cache/pacman/pkg/gnupg-2.2.29-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

Completed the remaining steps in the trouble shooting guide but issues remain and unable to upgrade.

I hope I’ve provided sufficient information in an appropriate format.

Thanks in advance

The problem is refreshing all keys. Brett’s key is good and published in a good state, so you could and should update his key. Helmut’s key, however, is not valid on the keyserver but only from the repos keyring package.

Yikes, I tried that and the other workarounds suggested in this thread (aside from the date hacking – that just seemed a bridge too far) and nothing has worked for me, Helmut and Brett’s keys are still of unknown trust.

Not sure I’ve seen the keyring this busted since signing came to Arch…

1 Like

I just updated the archlinux-keyring package also on stable branch. All the packages by Helmut should have replaced signatures from our Build-Server. Simply delete Helmut’s signatures from /var/cache/pacman/pkg and redownload the replacements.

1 Like

Thanks @philm, it’s still not working for me but I think I just need to wait for the package to propagate to my mirror… Looks like the US mirrors are all partially out of date at the moment (from https://repo.manjaro.org/):

I tried:

sudo rm -rf /var/cache/pacman/pkg/
sudo pacman -Syy archlinux-keyring  # this got me to 20210616-1
sudo pacman -Syu

Does that look about right?

1 Like

You may want to switch to mirrors.manjaro.org/repo which is our global network of mirrors updating every 15 mins.

1 Like

Okay, my mirror is up-to-date now. I pulled in archlinux-keyring-20210802-1 but I’m still seeing signature failures from Helmut’s key:

sudo pacman -Syu
:: Synchronizing package databases...
[...]
(221/221) checking keys in keyring                                                                                                               [########################################################################################] 100%
(221/221) checking package integrity                                                                                                             [########################################################################################] 100%
error: nvidia-utils: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/nvidia-utils-470.57.02-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: pacman: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/pacman-6.0.0-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
[...]
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

I also tried refreshing just Helmut’s key but I’m getting errors:

sudo pacman-key --refresh-keys helmut.stult@schinfo.de
gpg: error retrieving 'helmut.stult@schinfo.de' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 'helmut@manjaro.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'helmut@schinfo-home.de' via WKD: General error
gpg: error reading key: General error
gpg: refreshing 1 key from hkps://keyserver.ubuntu.com
gpg: key CEE477135C5872B0: "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Full command history:

sudo rm -rf /var/cache/pacman/pkg/
sudo pacman -Syy archlinux-keyring
sudo pacman -Syu
sudo pacman-key --refresh-keys helmut.stult@schinfo.de
sudo pacman -Syu

Am I missing a step here or is Helmut’s key actually hosed?

As @phil mentioned above, Helmut’s key was replaced by the Manjaro Build Server key.

See Pacman troubleshooting - Manjaro


Posts have been removed dealing with bad practices.

1 Like

Yeah I tried those steps before… Just tried them again now, still no luck, not sure what I’m missing… Here’s my full command history:

sudo rm -rf /etc/pacman.d/gnupg
sudo pacman -Syy gnupg archlinux-keyring manjaro-keyring  # fails due to Helmut's key
sudo pacman -Syy gnupg archlinux-keyring  # succeeds
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
sudo pacman -Syu  # fails due to Helmut's key

Can someone who has this working please post the commands you used?