PGP error in upgrade "invalid or corrupted package (PGP signature)"

mirto · 15 February 2026 13:27

Hi all,
I’m trying to upgrade a VM after a log time and I got this error

[mirto@manjaro ~]$ LANG=C sudo pacman -Syu
[sudo] password for mirto: 
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 multilib is up to date
:: Starting full system upgrade...
:: Replace linux617 with core/linux-meta? [Y/n] 
:: Replace vi with extra/ex-vi-compat? [Y/n] 
resolving dependencies...
looking for conflicting packages...
warning: dependency cycle detected:
warning: python-soupsieve will be installed before its python-beautifulsoup4 dependency
warning: dependency cycle detected:
warning: xdg-desktop-portal-kde will be installed before its plasma-workspace dependency
warning: dependency cycle detected:
warning: mhwd-nvidia will be installed before its mhwd-db dependency
warning: dependency cycle detected:
warning: python-poetry-plugin-export will be installed before its python-poetry dependency

Packages (824) alsa-card-profiles-1:1.4.10-1  alsa-lib-1.2.15.3-2  alsa-ucm-conf-1.2.15.3-1  alsa-utils-1.2.15.2-1  amd-ucode-20260110-1  aom-3.13.1-2  apache-orc-2.2.2-1  appstream-1.1.2-1  appstream-glib-0.8.3-3
               appstream-qt-1.1.2-1  archlinux-appstream-data-20260107-1  archlinux-keyring-20260107-2.0  ark-25.12.1-1  arrow-23.0.0-1  at-spi2-core-2.58.3-1  attica-6.22.0-1  audiocd-kio-25.12.1-1  audit-4.1.2-2
               aurorae-6.5.5-1  autoconf-archive-1:2024.10.16-4  avahi-1:0.9rc3-1  aws-c-auth-0.9.5-1  aws-c-compression-0.3.2-1  aws-c-event-stream-0.5.9-1  aws-c-http-0.10.9-1  aws-c-io-0.25.0-1  aws-c-s3-0.11.4-1
               aws-checksums-0.2.8-1  aws-crt-cpp-0.37.0-1  aws-sdk-cpp-core-1.11.725-1  aws-sdk-cpp-iam-1.11.725-1  aws-sdk-cpp-s3-1.11.725-1  baloo-6.22.0-1  baloo-widgets-25.12.1-1  bash-5.3.9-1
               binutils-2.45.1+r35+g12d0a1dbc1b9-1  bluedevil-1:6.5.5-1  blueprint-compiler-0.18.0-2  bluez-qt-6.22.0-1  boost-libs-1.89.0-4  breeze-6.5.5-1  breeze-gtk-6.5.5-1  breeze-icons-6.22.0-1
               breeze5-6.5.5-1  brotli-1.2.0-1  btop-1.4.6-1  btrfs-progs-6.17.1-2  ca-certificates-mozilla-3.120-1  cantarell-fonts-1:0.311-1  capstone-5.0.6-2  chromium-144.0.7559.132-1  clang-21.1.6-3

…

              vulkan-mesa-implicit-layers-1:25.3.4-1  vulkan-radeon-1:25.3.4-1  vulkan-tools-1.4.335.0-1  wavpack-5.9.0-1  webkit2gtk-2.50.4-1  webkit2gtk-4.1-2.50.4-1  webkitgtk-6.0-2.50.4-1  weston-14.0.2-3
               wireplumber-0.5.13-1  wpa_supplicant-2:2.11-5  xapp-3.2.2-1  xapp-symbolic-icons-1.0.9-0.1  xcb-proto-1.17.0-4  xdg-desktop-portal-kde-6.5.5-1  xfsprogs-6.18.0-1  xorg-xauth-1.1.5-1
               xorg-xkill-1.0.7-1  xorgproto-2025.1-1  xterm-406-1  xz-5.8.2-1  yakuake-25.12.1-1  yt-dlp-2026.01.29-1  yt-dlp-ejs-0.4.0-1  zbar-0.23.93-5

Total Download Size:      0,22 MiB
Total Installed Size:  8963,57 MiB
Net Upgrade Size:        62,07 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 libvpl-2.16.0-1-x86_64                                                                               227,5 KiB  5,42 MiB/s 00:00 [###############################################################################] 100%
(822/822) checking keys in keyring                                                                                                [###############################################################################] 100%
(822/822) checking package integrity                                                                                              [###############################################################################] 100%
error: libvpl: signature from "Daniel Bermond <dbermond@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/libvpl-2.16.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
[mirto@manjaro ~]$

I tried what suggested in another post:

[mirto@manjaro ~]$ LANG=C sudo pacman-key --recv-keys dbermond@archlinux.org
[sudo] password for mirto: 
gpg: key 019A7474297D8577: "Daniel Bermond <danielbermond@gmail.com>" not changed
gpg: key E85B8683EB48BC95: "Daniel Bermond <dbermond@archlinux.org>" not changed
gpg: key 019A7474297D8577: "Daniel Bermond <danielbermond@gmail.com>" not changed
gpg: key E85B8683EB48BC95: "Daniel Bermond <dbermond@archlinux.org>" not changed
gpg: Total number processed: 4
gpg:              unchanged: 4
pub   rsa2048 2016-06-27 [SC]
      3FFA6AB7B69AAE6CCA263DDE019A7474297D8577
uid           [  full  ] Daniel Bermond <danielbermond@gmail.com>
uid           [  full  ] Daniel Bermond <dbermond@archlinux.org>
sub   rsa2048 2016-06-27 [E]

[mirto@manjaro ~]$ LANG=C sudo pacman-key --lsign-key dbermond@archlinux.org
  -> Locally signed 1 key.
==> Updating trust database...
gpg: next trustdb check due at 2026-03-13
[mirto@manjaro ~]$

I also tried

[mirto@manjaro ~]$ LANG=C sudo pacman -S manjaro-keyring
warning: manjaro-keyring-20251003-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) manjaro-keyring-20251003-1

Total Installed Size:  0,09 MiB
Net Upgrade Size:      0,00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                                                                    [###############################################################################] 100%
(1/1) checking package integrity                                                                                                  [###############################################################################] 100%
(1/1) loading package files                                                                                                       [###############################################################################] 100%
(1/1) checking for file conflicts                                                                                                 [###############################################################################] 100%
(1/1) checking available disk space                                                                                               [###############################################################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) reinstalling manjaro-keyring                                                                                                [###############################################################################] 100%
==> Appending keys from manjaro.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 2 keys.
==> Importing owner trust values...
==> Updating trust database...
gpg: next trustdb check due at 2026-03-13
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[mirto@manjaro ~]$ LANG=C sudo pacman-key --populate manjaro
==> Appending keys from manjaro.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 2 keys.
==> Importing owner trust values...
==> Updating trust database...
gpg: next trustdb check due at 2026-03-13
[mirto@manjaro ~]$

Still I receive the same error.

What else can I try?

Aragorn · 15 February 2026 13:31

Updating the Manjaro keyring isn’t really going to do much good when the signature at fault is that of an Arch packager.

Try updating archlinux-keyring instead. You will need -Suu, because the keyring needs to be downgraded.

mirto · 15 February 2026 13:49

Maybe I misunderstood your instructions.

I tried

[mirto@manjaro ~]$ LANG=C sudo pacman -S archlinux-keyring
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20260107-2.0

Total Installed Size:  1,70 MiB
Net Upgrade Size:      0,01 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                                                                    [###############################################################################] 100%
(1/1) checking package integrity                                                                                                  [###############################################################################] 100%
(1/1) loading package files                                                                                                       [###############################################################################] 100%
(1/1) checking for file conflicts                                                                                                 [###############################################################################] 100%
(1/1) checking available disk space                                                                                               [###############################################################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/1) upgrading archlinux-keyring                                                                                                 [###############################################################################] 100%
==> Appending keys from archlinux.gpg...
==> Updating trust database...
gpg: next trustdb check due at 2026-03-13
:: Running post-transaction hooks...
(1/3) Reloading system manager configuration...
(2/3) Restarting marked services...
(3/3) Arming ConditionNeedsUpdate...
[mirto@manjaro ~]$ LANG=C sudo pacman-key --populate  archlinux
==> Appending keys from archlinux.gpg...
==> Updating trust database...
gpg: next trustdb check due at 2026-03-13
[mirto@manjaro ~]$

Then I upgraded with

[mirto@manjaro ~]$ LANG=C sudo pacman -Suu
:: Starting full system upgrade...
:: Replace linux617 with core/linux-meta? [Y/n] 
:: Replace vi with extra/ex-vi-compat? [Y/n] 
resolving dependencies...
looking for conflicting packages...
warning: dependency cycle detected:
warning: python-soupsieve will be installed before its python-beautifulsoup4 dependency
warning: dependency cycle detected:
warning: xdg-desktop-portal-kde will be installed before its plasma-workspace dependency
warning: dependency cycle detected:
warning: mhwd-nvidia will be installed before its mhwd-db dependency
warning: dependency cycle detected:
warning: python-poetry-plugin-export will be installed before its python-poetry dependency

Packages (823) alsa-card-profiles-1:1.4.10-1  alsa-lib-1.2.15.3-2  alsa-ucm-conf-1.2.15.3-1  alsa-utils-1.2.15.2-1  amd-ucode-20260110-1  aom-3.13.1-2  apache-orc-2.2.2-1  appstream-1.1.2-1  appstream-glib-0.8.3-3
               appstream-qt-1.1.2-1  archlinux-appstream-data-20260107-1  ark-25.12.1-1  arrow-23.0.0-1  at-spi2-core-2.58.3-1  attica-6.22.0-1  audiocd-kio-25.12.1-1  audit-4.1.2-2  aurorae-6.5.5-1
               autoconf-archive-1:2024.10.16-4  avahi-1:0.9rc3-1  aws-c-auth-0.9.5-1  aws-c-compression-0.3.2-1  aws-c-event-stream-0.5.9-1  aws-c-http-0.10.9-1  aws-c-io-0.25.0-1  aws-c-s3-0.11.4-1

…

               v4l2loopback-dkms-0.15.3-1  vapoursynth-73-2  vi-1:070224-6 [removal]  vim-9.1.2077-1  vim-runtime-9.1.2077-1  virt-install-5.1.0-3  virt-manager-5.1.0-3  virtualbox-guest-utils-7.2.6-1
               vivaldi-7.8.3925.66-1  vivaldi-ffmpeg-codecs-144.0.7559.175-1  volume_key-0.3.12-12  vte-common-0.82.3-1  vte3-0.82.3-1  vulkan-headers-1:1.4.335.0-2  vulkan-icd-loader-1.4.335.0-1
               vulkan-mesa-implicit-layers-1:25.3.4-1  vulkan-radeon-1:25.3.4-1  vulkan-tools-1.4.335.0-1  wavpack-5.9.0-1  webkit2gtk-2.50.4-1  webkit2gtk-4.1-2.50.4-1  webkitgtk-6.0-2.50.4-1  weston-14.0.2-3
               wireplumber-0.5.13-1  wpa_supplicant-2:2.11-5  xapp-3.2.2-1  xapp-symbolic-icons-1.0.9-0.1  xcb-proto-1.17.0-4  xdg-desktop-portal-kde-6.5.5-1  xfsprogs-6.18.0-1  xorg-xauth-1.1.5-1
               xorg-xkill-1.0.7-1  xorgproto-2025.1-1  xterm-406-1  xz-5.8.2-1  yakuake-25.12.1-1  yt-dlp-2026.01.29-1  yt-dlp-ejs-0.4.0-1  zbar-0.23.93-5

Total Download Size:      0,22 MiB
Total Installed Size:  8961,87 MiB
Net Upgrade Size:        62,06 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 libvpl-2.16.0-1-x86_64                                                                               227,5 KiB  2,29 MiB/s 00:00 [###############################################################################] 100%
(821/821) checking keys in keyring                                                                                                [###############################################################################] 100%
(821/821) checking package integrity                                                                                              [###############################################################################] 100%
error: libvpl: signature from "Daniel Bermond <dbermond@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/libvpl-2.16.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
[mirto@manjaro ~]$

I got the same error

What I’m doing wrong?

Aragorn · 15 February 2026 13:51

This.

Try…

sudo pacman -Sy && sudo pacman -S archlinux-keyring

mirto · 15 February 2026 13:54

Tried. No luck

[mirto@manjaro ~]$ LANG=C sudo pacman -Suu archlinux-keyring
[sudo] password for mirto: 
warning: archlinux-keyring-20260107-2.0 is up to date -- reinstalling
:: Starting full system upgrade...
:: Replace linux617 with core/linux-meta? [Y/n] 
:: Replace vi with extra/ex-vi-compat? [Y/n] 
resolving dependencies...
looking for conflicting packages...
warning: dependency cycle detected:
warning: python-soupsieve will be installed before its python-beautifulsoup4 dependency
warning: dependency cycle detected:
warning: xdg-desktop-portal-kde will be installed before its plasma-workspace dependency
warning: dependency cycle detected:
warning: mhwd-nvidia will be installed before its mhwd-db dependency
warning: dependency cycle detected:
warning: python-poetry-plugin-export will be installed before its python-poetry dependency

Packages (824) alsa-card-profiles-1:1.4.10-1  alsa-lib-1.2.15.3-2  alsa-ucm-conf-1.2.15.3-1  alsa-utils-1.2.15.2-1  amd-ucode-20260110-1  aom-3.13.1-2  apache-orc-2.2.2-1  appstream-1.1.2-1  appstream-glib-0.8.3-3
               appstream-qt-1.1.2-1  archlinux-appstream-data-20260107-1  ark-25.12.1-1  arrow-23.0.0-1  at-spi2-core-2.58.3-1  attica-6.22.0-1  audiocd-kio-25.12.1-1  audit-4.1.2-2  aurorae-6.5.5-1
               autoconf-archive-1:2024.10.16-4  avahi-1:0.9rc3-1  aws-c-auth-0.9.5-1  aws-c-compression-0.3.2-1  aws-c-event-stream-0.5.9-1  aws-c-http-0.10.9-1  aws-c-io-0.25.0-1  aws-c-s3-0.11.4-1
               aws-checksums-0.2.8-1  aws-crt-cpp-0.37.0-1  aws-sdk-cpp-core-1.11.725-1  aws-sdk-cpp-iam-1.11.725-1  aws-sdk-cpp-s3-1.11.725-1  baloo-6.22.0-1  baloo-widgets-25.12.1-1  bash-5.3.9-1
               binutils-2.45.1+r35+g12d0a1dbc1b9-1  bluedevil-1:6.5.5-1  blueprint-compiler-0.18.0-2  bluez-qt-6.22.0-1  boost-libs-1.89.0-4  breeze-6.5.5-1  breeze-gtk-6.5.5-1  breeze-icons-6.22.0-1

…

               vivaldi-7.8.3925.66-1  vivaldi-ffmpeg-codecs-144.0.7559.175-1  volume_key-0.3.12-12  vte-common-0.82.3-1  vte3-0.82.3-1  vulkan-headers-1:1.4.335.0-2  vulkan-icd-loader-1.4.335.0-1
               vulkan-mesa-implicit-layers-1:25.3.4-1  vulkan-radeon-1:25.3.4-1  vulkan-tools-1.4.335.0-1  wavpack-5.9.0-1  webkit2gtk-2.50.4-1  webkit2gtk-4.1-2.50.4-1  webkitgtk-6.0-2.50.4-1  weston-14.0.2-3
               wireplumber-0.5.13-1  wpa_supplicant-2:2.11-5  xapp-3.2.2-1  xapp-symbolic-icons-1.0.9-0.1  xcb-proto-1.17.0-4  xdg-desktop-portal-kde-6.5.5-1  xfsprogs-6.18.0-1  xorg-xauth-1.1.5-1
               xorg-xkill-1.0.7-1  xorgproto-2025.1-1  xterm-406-1  xz-5.8.2-1  yakuake-25.12.1-1  yt-dlp-2026.01.29-1  yt-dlp-ejs-0.4.0-1  zbar-0.23.93-5  archlinux-keyring-20260107-2.0

Total Download Size:      0,22 MiB
Total Installed Size:  8963,57 MiB
Net Upgrade Size:        62,06 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 libvpl-2.16.0-1-x86_64                                                                               227,5 KiB  1711 KiB/s 00:00 [###############################################################################] 100%
(822/822) checking keys in keyring                                                                                                [###############################################################################] 100%
(822/822) checking package integrity                                                                                              [###############################################################################] 100%
error: libvpl: signature from "Daniel Bermond <dbermond@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/libvpl-2.16.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
[mirto@manjaro ~]$

Is a reboot needed?

Teo · 15 February 2026 13:54

He already installed the right keyring (from January).
Maybe cleaning the cach is due, so that the packages are redownloaded?

mirto · 15 February 2026 13:56

I’ll try and report here

Aragorn · 15 February 2026 13:57

No, the issue with the keyrings only occurred a few days ago, and @Yochanan downgraded archlinux-keyring in the repos.

No, that’s not necessary.

Worst case scenario, I would try this…

anon33601770 · 15 February 2026 14:03

Or look here - looks very similar and was resolved:

Marginal Trust invalid or corrupt package Error while updating manjaro - #13 by Char

system · 18 February 2026 14:03

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.