Pacman-mirrors-5.3-1 is corrupted

Support System Updates
1

I just attempted a system update, and it failed with this error:

:: Proceed with installation? [Y/n]
:: Retrieving packages…
pacman-mirrors-5.3-1-any 218.4 KiB 4.96 MiB/s 00:00 [#####################################################] 100%
(941/941) checking keys in keyring [#####################################################] 100%
(941/941) checking package integrity [#####################################################] 100%
error: pacman-mirrors: signature from “Frede Hundewadt fh@manjaro.org” is unknown trust
:: File /var/cache/pacman/pkg/pacman-mirrors-5.3-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

I wasn’t doing anything squirrely, it was just a routine update.

I attempted the following:

ls -l /var/cache/pacman/pkg/pacman-mirrors-5.3-1-any.pkg.tar.zst

File does not exist

touch /var/cache/pacman/pkg/pacman-mirrors-5.3-1-any.pkg.tar.zst

sudo pacman -Syyu

Same result, except it deleted the “corrupted” 5.3.1 like it does every time, even though it doesn’t exist

$ ls -ld /var/lib/pacman/local/pacman-mirrors-*
drwxr-xr-x 2 root root 4096 Oct 13 21:55 /var/lib/pacman/local/pacman-mirrors-5.1-1

sudo pacman-mirrors --fasttrack

Did not fix anything

sudo pacman -Syyu

Same result as -Syu

sudo pacman -Scc

wants to remove ALL files from the cache, seems extreme so have not done this yet. Especially if my current mirrors file is good and the replacement is bad, I don’t want to blow away my one good file.

sudo pacman-mirrors -c Global

sudo pacman -Syu

No change

From what I can tell, it is downloading pacman-mirrors-5.3-1-any and getting a corrupted package from the repository, and is unable to continue. Is it possible to tell it NOT to download that package? Like, use the old mirrors package (which has been find up till now, and is actually what it’s using to do this update)

What to do? Wait a few weeks and hope its been fixed and try again?

Thanks in advance for any advice

2

The problem must be at your end, because I updated my system a few hours ago, and everything went fine. However, I also updated my mirror list before I ran the update — which one should always do when there is a bundled update.

The problem is most likely caused by the fact that one of the mirrors in your existing mirror list hadn’t (fully) sync’ed yet. If you still have one or several older pacman-mirrors versions in your /var/cache/pacman/pkg/, then I would recommend restoring that package from there… :backhand_index_pointing_down:

sudo pacman -U /var/cache/pacman/pkg/pacman-mirrors-{old-version-here}

… and then refresh your mirrors with that package… :backhand_index_pointing_down:

sudo pacman-mirrors -f

… and run the update process again… :backhand_index_pointing_down:

sudo pacman -Fy && sudo pacman -Syu

Another possibility, if you no longer have an older pacman-mirrors package in your cache, is to use manjaro-downgrade — if you don’t have it on your system, it’s in the repository — and to then repeat the steps of refreshing your mirror list and updating your system.

Lastly, see if this helps… :backhand_index_pointing_down:

3

First, please post code in a code tag (the 3 ticks on a new line or the </> button).

You can check your mirrors with just typing pacman-mirrors - if the first line has green ok it should be ok.

And another theory to test after that:

It has probably been a while (like more than 3 months) since your last update. The way i see it, you either have to reinstall the latest package keys offline, or temporary disable verification.

1 Like
4

It is an either or message. The package is not corrupted - but for unknown reasons your system does not have the manjaro-keyring that was updated early October.

The answer to your problem is to do

Either

sudo pacman-key --recv-keys fh@manjaro.org
sudo pacman-key --lsign-key fh@manjaro.org

Or

sudo pacman -S manjaro-keyring
sudo pacman-key --populate manjaro

Then rerun the update.

pacman-key reference

 $ pacman-key -f fh@manjaro.org
gpg: Note: trustdb not writable
pub   rsa4096 2017-05-30 [SC] [expires: 2026-08-21]
      *** This key has been disabled
      04BB 537F 5BC2 D399 BFA7  2F8F 17C7 52B6 1B2F 2E90
uid           [  full  ] Frede Hundewadt <fh@manjaro.org>

pub   ed25519 2024-04-25 [SCA]
      11DE F506 FD67 0B95 80A8  BEFF 6F12 0DAE C909 FAD7
uid           [  full  ] Frede Hundewadt <fh@manjaro.org>
sub   cv25519 2024-04-25 [E]

gpg reference

 $ gpg --finger fh@manjaro.org
pub   ed25519/0x6F120DAEC909FAD7 2024-04-25 [SCA]
      Key fingerprint = 11DE F506 FD67 0B95 80A8  BEFF 6F12 0DAE C909 FAD7
uid                   [ultimate] Frede Hundewadt <fh@manjaro.org>
sub   cv25519/0xDBBBB3C4C139A140 2024-04-25 [E]
sub   ed25519/0x9CEF1D38B506C62E 2025-12-31 [A] [expires: 2028-12-30]

pub   rsa4096/0x17C752B61B2F2E90 2017-05-30 [SC] [expires: 2026-08-21]
      *** This key has been disabled
      Key fingerprint = 04BB 537F 5BC2 D399 BFA7  2F8F 17C7 52B6 1B2F 2E90
uid                   [ unknown] Frede Hundewadt <fh@manjaro.org>
7 Likes
5

I also had this same error on a newly installed system, but i would assume it’s just old installation media.

After installation a simple system update failed…

thanks for the helpful commands!

6

Okay I tried the steps posted by Aragorn. I already have a working mirrors 5.1.1, so skipped the first step but did the second two. Same result, it attempts to download mirrors 5.3.1 and fails on verification.

Also followed the steps in the link provided but that did not resolve the issue.

Either’s solution, to update the pacman-keys resolved the issue for me. All up to date now. Thanks!

1 Like
7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.