Can you please try the post above yours as that seems to provide a solution and feed back, please? (cc @sombunall )
If that works for both of you, then we can mark that one as a solution…
Can you please try the post above yours as that seems to provide a solution and feed back, please? (cc @sombunall )
If that works for both of you, then we can mark that one as a solution…
Hi All, I am having the same issue with the 428F7ECC7117F726, key. I’ve tried the steps listed on the wiki link above.
The second step fails due to the keys not being initialized.
I’ve skipped it and ran the other steps to reinitialize the keys which pulls the expired key again. the new keys are signed by the expired key so I’m unable to install them as well.
I am having similar issues and have tried the solution suggested in the above post by @mithrial which has failed. Specifically:
Step 2 - Reinstalling keyrings including the latest keys failed with:
warning: Public keyring not found; have you run ‘pacman-key --init’?
downloading required keys…
error: keyring is not writable
error: keyring is not writable
error: keyring is not writable
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.
Therefore I ran
pacman-key -init
as suggested (which is step 3 in the trouble shooting guide)
Ran Step 2 again with the errors such as:
error: gnupg: signature from “Levente Polyak anthraxx@archlinux.org” is unknown trust
:: File /var/cache/pacman/pkg/gnupg-2.2.29-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
Completed the remaining steps in the trouble shooting guide but issues remain and unable to upgrade.
I hope I’ve provided sufficient information in an appropriate format.
Thanks in advance
The problem is refreshing all keys. Brett’s key is good and published in a good state, so you could and should update his key. Helmut’s key, however, is not valid on the keyserver but only from the repos keyring package.
Yikes, I tried that and the other workarounds suggested in this thread (aside from the date hacking – that just seemed a bridge too far) and nothing has worked for me, Helmut and Brett’s keys are still of unknown trust.
Not sure I’ve seen the keyring this busted since signing came to Arch…
I just updated the archlinux-keyring package also on stable branch. All the packages by Helmut should have replaced signatures from our Build-Server. Simply delete Helmut’s signatures from /var/cache/pacman/pkg and redownload the replacements.
Thanks @philm, it’s still not working for me but I think I just need to wait for the package to propagate to my mirror… Looks like the US mirrors are all partially out of date at the moment (from https://repo.manjaro.org/):
I tried:
sudo rm -rf /var/cache/pacman/pkg/
sudo pacman -Syy archlinux-keyring # this got me to 20210616-1
sudo pacman -Syu
Does that look about right?
You may want to switch to mirrors.manjaro.org/repo which is our global network of mirrors updating every 15 mins.
Okay, my mirror is up-to-date now. I pulled in archlinux-keyring-20210802-1
but I’m still seeing signature failures from Helmut’s key:
sudo pacman -Syu
:: Synchronizing package databases...
[...]
(221/221) checking keys in keyring [########################################################################################] 100%
(221/221) checking package integrity [########################################################################################] 100%
error: nvidia-utils: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/nvidia-utils-470.57.02-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: pacman: signature from "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" is unknown trust
:: File /var/cache/pacman/pkg/pacman-6.0.0-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
[...]
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
I also tried refreshing just Helmut’s key but I’m getting errors:
sudo pacman-key --refresh-keys helmut.stult@schinfo.de
gpg: error retrieving 'helmut.stult@schinfo.de' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 'helmut@manjaro.org' via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'helmut@schinfo-home.de' via WKD: General error
gpg: error reading key: General error
gpg: refreshing 1 key from hkps://keyserver.ubuntu.com
gpg: key CEE477135C5872B0: "Helmut Stult (schinfo) <helmut.stult@schinfo.de>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Full command history:
sudo rm -rf /var/cache/pacman/pkg/
sudo pacman -Syy archlinux-keyring
sudo pacman -Syu
sudo pacman-key --refresh-keys helmut.stult@schinfo.de
sudo pacman -Syu
Am I missing a step here or is Helmut’s key actually hosed?
As @phil mentioned above, Helmut’s key was replaced by the Manjaro Build Server key.
See Pacman troubleshooting - Manjaro
Posts have been removed dealing with bad practices.
Yeah I tried those steps before… Just tried them again now, still no luck, not sure what I’m missing… Here’s my full command history:
sudo rm -rf /etc/pacman.d/gnupg
sudo pacman -Syy gnupg archlinux-keyring manjaro-keyring # fails due to Helmut's key
sudo pacman -Syy gnupg archlinux-keyring # succeeds
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
sudo pacman -Syu # fails due to Helmut's key
Can someone who has this working please post the commands you used?
As I am also having the same issue and all the steps above didn’t work for me, I also want to ask what I could do to be able to update my system again.
I tried the removing (from pkg /etc/pacman.d/gnupg), reinstalling, repopulating and reinitalisating of the keys. I removed the zst file from the cache but that also didn’t help.
You (Yochanan) said, that the key has been replaced by the Manjaro Build Server key. Do you mean that there is a new one for Helmut? (How to get that one?) Or are the packages now signed by another user? (Then how to get pacman to use that one?)
I am also still having issues.
I have followed the steps suggested above, ie - See Pacman troubleshooting - Manjaro
I am getting errors importing keys for:
Same problem here too like 3 last posters.
Clears thout loudly
That means delete the corresponding .sig
files for packages signed by Helmut.
Vague instructions get vague results, no need to get snarky…
As I mentioned above, I also tried trashing /var/cache/pacman/pkg
entirely, which would have obviously taken care of that.
The commands from the Pacman troubleshoot wiki page don’t seem to work at all. Step (2) on that page seems out of order (it fails since there’s no keyring since we just deleted it in step (1)). If you ran Step (2) after init, populate, and refresh under normal circumstances I would expect it to work, but right now it’s still failing due to Helmut’s key.
@Yochanan can you please confirm that this exact command sequence works on your system? If it doesn’t work, can you please share the command sequence you used to get around this problem.
sudo rm -rf /var/cache/pacman/pkg
sudo rm -r /etc/pacman.d/gnupg
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring # fails due to missing gpg directory
sudo pacman-key --init
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring # fails due to helmut's key
sudo pacman -Sy gnupg archlinux-keyring # succeeds
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring # still fails due to helmut's key
Before that, I would run this command to get the mirrors that are updated the fastest
sudo pacman-mirrors --fasttrack && sudo pacman -Syyu
This fixed the situation on my machine (no explicit key refresh! as suggested above by @mithrial , and I had removed problematic sigs/archives from /var/cache/pacman/pkg in previous attempts to rectify the situation)
sudo rm -r /etc/pacman.d/gnupg
sudo pacman-key --init
sudo pacman-key --populate manjaro
sudo pacman-key --populate archlinux
sudo pacman -Syvv manjaro-keyring # just to test for key-problems, as this would fail
After that, I used pamac (gui) to update everything - the machine is up to date now. Helmuts key is valid and not expired on my machine (expires never!), that’s why I think not to refresh the keys manually is important for now – once the situation is cleared up, normal procedures apply (see below)
Thanks @tomterl for posting this - my issues are also now solved. As you indicated the important missing part of the puzzle was NOT to refresh keys (even though it is indicated in the Pacman troubleshooting steps)
Generally speaking, refreshing the keys is encouraged.
Assume, a maintainer accidentally publishes their private key. Usually, then, the key is revoked.
But how does your system know that it is revoked? It doesn’t without refreshing. Anyone with access to this hypothetical private key could now sign any package and your system would happily install them.
In this instance, the user (Helmut) changed the validity of their key to an already gone date and published it to the keyserver. If you refresh, your local copy of this key is updated and every time it is accessed, it’ll error out because the key is not valid anymore. You can still reproduce this issue if you refresh this user’s key from the keyserver.
It works for the other user (Brett) because your local copy of the key has expired and they published a new one with a validity date.