I decided to re-install Manjaro to KDE version. I had been using Xfce. The installation went ok. I then decided to update Manjaro using command above. This seemed to proceed just fine, but after downloading 600 packages I was then told I had a corrupted GPG signature and the update was abandoned. I tried a 2nd time on this occasion telling pacman to delete offending GPG sig when offered, and the same thing happened again.
But here’s the thing. I decided to update via the pamac GUI instead as a last try before investigating this further. As it turned out the whole update proceeded without further ado, and I’m happily updated. So why did the pacman command fail, which I’ve used countless times before when updating?
If you installed from an older ISO, its keyring files may be outdated. In this case, it is best to upgrade archlinux-keyring and manjaro-keyring before upgrading any other packages.
Yes, but if one does not refresh one’s mirrors before running a bundled update, then some of the mirrors in the local list may still be in the process of syncing, and then you can run into this sort of problems. And in this case, apparently the lagging mirror(s) had apparently finished syncing by the third attempt.
The clue is of course to always refresh one’s mirror list before applying a bundled update.
The core problem is the corrupt/outdated Arch Linux Keyring (so likely an older ISO). Generally, when I boot an ISO, I’d download a fresh one to install.
Corrupt GPG signatures => archlinux-keyring package… you installed a KDE version with a snapshot of the archlinux-keyring from that release date.
pacman is superb, but it’s also a very basic “do exactly as you’re told” - It’s a SHARP tool, not a fuzzy one…
Then your second attempt --delete says ‘ignore the signature and delete the file’; but the next package is signed with another key you don’t have…
pamac is a more sophisticated manager with a bit of extra logic and convenience; so it often handles your keyring updates as a separate, automatic step.
So pamac likely sees the keyring issue and updated archlinux-kering first; which is signed with a master key, so your system still trusts that.
Then with a new set of keys, it updates your other stuff with no signature errors.
Only when there’s an issue with the keyring. pacman normally updates the keyring for you, but if there’s an issue then it’s up to you to sort it out.
However it is recommended as a preventative if you haven’t updated in a while.
Upgrading the system regularly via pacman#Upgrading packages prevents most signing errors. If delay is unavoidable and system upgrade gets delayed for an extended period, manually sync the package database and upgrade the archlinux-keyring package before system upgrade
Well I tried a fresh install again using same ISO for KDE Plasma 6.3.6, and when finished applied command sudo pacman -Sy archlinux-keyring. This seemed to update/add new keyrings, but when I ran sudo pacman -Suy, again it downloaded all 680 updates, but then aborted with:- File /var/cache/pacman/pkg/pacman-mirrors-5.3-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)), so same issue as before.
However running pamac update again prevented any signature issues. The process for checking key integrity under pamac showed as: