Maintainer pgp keys expired

mcoz · 6 August 2021 00:10

I am also still having issues.

I have followed the steps suggested above, ie - See Pacman troubleshooting - Manjaro

I am getting errors importing keys for:

Levente Polyak
Christian Hesse
Helmut Stult

sombunall · 6 August 2021 00:28

Same problem here too like 3 last posters.

Yochanan · 6 August 2021 00:33

Clears thout loudly

That means delete the corresponding .sig files for packages signed by Helmut.

mgalgs · 6 August 2021 00:52

Vague instructions get vague results, no need to get snarky…

As I mentioned above, I also tried trashing /var/cache/pacman/pkg entirely, which would have obviously taken care of that.

The commands from the Pacman troubleshoot wiki page don’t seem to work at all. Step (2) on that page seems out of order (it fails since there’s no keyring since we just deleted it in step (1)). If you ran Step (2) after init, populate, and refresh under normal circumstances I would expect it to work, but right now it’s still failing due to Helmut’s key.

@Yochanan can you please confirm that this exact command sequence works on your system? If it doesn’t work, can you please share the command sequence you used to get around this problem.

sudo rm -rf /var/cache/pacman/pkg
sudo rm -r /etc/pacman.d/gnupg
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring  # fails due to missing gpg directory
sudo pacman-key --init
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring  # fails due to helmut's key
sudo pacman -Sy gnupg archlinux-keyring  # succeeds
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring  # still fails due to helmut's key

Evernow · 6 August 2021 01:13

Before that, I would run this command to get the mirrors that are updated the fastest

sudo pacman-mirrors --fasttrack && sudo pacman -Syyu

tomterl · 6 August 2021 05:31

This fixed the situation on my machine (no explicit key refresh! as suggested above by @mithrial , and I had removed problematic sigs/archives from /var/cache/pacman/pkg in previous attempts to rectify the situation)

sudo rm -r /etc/pacman.d/gnupg
sudo pacman-key --init
sudo pacman-key --populate manjaro
sudo pacman-key --populate archlinux
sudo pacman -Syvv manjaro-keyring  # just to test for key-problems, as this would fail

After that, I used pamac (gui) to update everything - the machine is up to date now. Helmuts key is valid and not expired on my machine (expires never!), that’s why I think not to refresh the keys manually is important for now – once the situation is cleared up, normal procedures apply (see below)

mcoz · 6 August 2021 09:56

Thanks @tomterl for posting this - my issues are also now solved. As you indicated the important missing part of the puzzle was NOT to refresh keys (even though it is indicated in the Pacman troubleshooting steps)

mithrial · 6 August 2021 10:16

Generally speaking, refreshing the keys is encouraged.

Assume, a maintainer accidentally publishes their private key. Usually, then, the key is revoked.
But how does your system know that it is revoked? It doesn’t without refreshing. Anyone with access to this hypothetical private key could now sign any package and your system would happily install them.

In this instance, the user (Helmut) changed the validity of their key to an already gone date and published it to the keyserver. If you refresh, your local copy of this key is updated and every time it is accessed, it’ll error out because the key is not valid anymore. You can still reproduce this issue if you refresh this user’s key from the keyserver.

It works for the other user (Brett) because your local copy of the key has expired and they published a new one with a validity date.

jrd · 6 August 2021 13:32

Thanks all of you for this thread. I managed to make it work AND understand the problem.

So this situation is still temporary until Helmut publish a valid key on the keyservers, right ?

Also what about modifying the order of the troubleshooting commands in the wiki ?

sombunall · 6 August 2021 16:28

Works! Just have to put sudo rm -r /etc/pacman.d/gnupg instead.

Fabby · 6 August 2021 18:00

I’ve marked this answer as the solution to your question as it is by far the best answer you’ll get.

However, if you disagree with my choice, please feel free to take any other answer as the solution to your question or even remove the solution altogether: You are in control! (If you disagree with my choice, just send me a personal message and explain why I shouldn’t have done this or or if you agree)

P.S. In the future, please don’t forget to come back and click the 3 dots below the answer to mark a solution like this below the answer that helped you most:

so that the next person that has the exact same problem you just had will benefit from your post as well as your question will now be in the “solved” status.

frau-nein-gekocht · 10 August 2021 15:34

great, this worked for me as well. Thanks! Quick question - you say you are upgrading via pamac, I remember having read somewhere here (while r/o) that this was the preferred method (above pacman -Syuu). Does it do anything else, that pacman does not? I could not find anything on that on the Pamac wiki page. Any pointers to documentation gladly taken, in case I missed something. Dank ju wel!

EDIT: I just realized this is probably off-topic. sorry.
EDITEDIT: @Fabby yes, I saw sawdoctor and thanked by but did not answer not to pollute the thread. wrong? sorry again. trying to get to grips with the forum etiquette

sawdoctor · 10 August 2021 16:24

The main difference or me at least is pamac will update aur packages as well. There have been times the team have recommended pamac upgrade as it automatically fixed some dependency errors

Fabby · 11 August 2021 21:13

4 posts were split to a new topic: How to install Manjaro from an ISO with outdatek keys

dano · 12 August 2021 21:10

I tried to follow the guideline of @tomterl:

But get some errors:

sudo pacman-key --populate manjaro

...

gpg: error reading key: Kein öffentlicher Schlüssel
  -> Disabled 3 keys.

and

sudo pacman -Syvv manjaro-keyring
...
gpg: error reading key: Kein öffentlicher Schlüssel
gpg: error reading key: Kein öffentlicher Schlüssel
  -> Disabled 2 keys.

In consequence I cannot update with pamac:

...
Fehler: vlc: signature from "Antonio Rojas <arojas@archlinux.org>" is unknown trust
Fehler: vulkan-intel: signature from "Felix Yan <felixonmars@archlinux.org>" is unknown trust
Fehler: vulkan-radeon: signature from "Felix Yan <felixonmars@archlinux.org>" is unknown trust
Fehler: xf86-video-amdgpu: signature from "Andreas Radke <andyrtr@archlinux.org>" is unknown trust
Vorgang konnte nicht abgeschlossen werden:
Ungültiges oder beschädigtes Paket:

Can someone help?

dano · 14 August 2021 10:57

Finally I followed this post,

https://unix.stackexchange.com/questions/518432/manjaro-update-fails-signature-is-unknown-trust

but I am not sure if changing “SigLevel = Never” in “/etc/pacman.conf” is smart. At least the upgrade worked, but can I trust it? Can someone give me a clue?

mithrial · 14 August 2021 12:22

That solution is literally the same one as the solution from this thread: Maintainer pgp keys expired - #43 by tomterl

Of course, without the totally insecure allowing of all signatures. Theoretically, all your packages could now be compromised because your mirror (or any malicious actor in-between) could send you modified packages without you noticing because you allowed all signatures.

dano · 14 August 2021 12:59

OK, thanks! I see, that was rather dumb…

Can I resume somehow safely, without re-installing from scratch?

Fabby · 14 August 2021 17:26

Yes!

No one else can answer that question for you as we don’t know your technical expertise, so:

If you’re ~~a bumbling idiot~~ a technical Luddite: No!
If you follow above instructions: Yes!

system · 29 August 2021 17:27

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.