Hello,
I am currently trying to install Manjaro via Architect with KDE Minimal. But I will always get an error message while downloading all packages that package “confuse 3.3-2” is corrupted.
…
downloading lib32-libcanberra-pulse-0.30+2+gc0620e4-3-x86_64.pkg.tar.zst…
checking keyring…
checking package integrity…
error: confuse: signature from “Baptiste Jonglez baptiste@bitsofnetworks.org” is marginal trust
:: File /mnt/var/cache/pacman/pkg/confuse-3.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
==> ERROR: Failed to install packages to new root
I have tried to only use mirrors near me or all mirrors which are normally included.
Other packages are downloaded with any problems.
I tried everything from the forum search. update keyring etc. but this had not solved anything. Is it possible that the package is currently really corrupted? How can I solve this?
Edit:
Solved it by editing /etc/pacman.conf #SigLevel = Required DatabaseOptional
SigLevel = Optional TrustAll
But this does not feel like a good solution. Your ideas are still welcome.
I’m facing the exact same issue, and, like you, I’d prefer a different solution than to trust all. So, here’s hoping that someone can come up with a proper solution
To add to what you already wrote: I tried refreshing the pacman keys in architect, and that didn’t solve it, unfortunately.
Well, I think I tried to do that manually, based on the post I linked to earlier, but I’ll try again tomorrow. Or doesn’t that post describe what Architect should be doing?
I just tried that, and after a lengthy download and it failling again, I quit, asked for the log to be copied, the logfile was said to be copied to /mnt/somethingsomething, but it’s nowhere to be found, so that too I’ll try again tomorrow.
Have tried to update keys, before installing, both in architect and from terminal while running and not running architect.
I have tried the following commands:
Here is how I resolved it without trusting all pkgs.
Do a: pacman-key -l
that will give you a list of keys on your machine.
Search through the terminal using the search button for ‘Baptiste’(the person who’s key is throwing errors)
Copy the long key that is there: pub rsa4096 2015-02-08 [SC] [expires: 2022-05-18] BFA1ECFEF1524EE4099CDE971F0CD4921ECAA030 uid [ full ] Baptiste Jonglez <baptiste@bitsofnetworks.org> uid [ full ] Baptiste Jonglez <baptiste@jonglez.org> sub rsa4096 2015-02-08 [E] [expires: 2022-05-18] sub rsa4096 2015-02-08 [S] [expires: 2022-05-18]
Copy the long ass key.
And then simply do: pacman-key --lsign-key *keyid(the one you copied)*
When I try to install xfce full version by Architect, after download packages and check conflicts show message that signature from Baptiste Jonglez is bad (PGP). After this communicate installation has been cancel.
Whilst that would allow me to install, I think that too is not really resolving the issue. It is still bypassing the normal trustchain, I believe, which I think is undesirable. Then again, so is not being able to install
However, I think its better for me to wait until it is addressed somewhere in the provided key(chain) or the related packages.
How insecure is it when I download only “confuse” package with “SigLevel = Optional TrustAll” during install. In the installed system the SigLevel is back to normal.
What is the worst what that could happen? Malware in this exact package?
As a temporary workaround, it’s fine. Leaving it that way is not.
Warning: The SigLevel TrustAll option exists for debugging purposes and makes it very easy to trust keys that have not been verified. You should use TrustedOnly for all official repositories.
Tested now on virtualbox. Cannot reproduce the issue. My guess is that you were using the manjaro-architect iso, which is two releases behind the rest of the isos, because it has not been rebuilt for some reason. Just use a more recent iso like gnome or kde, and the problem should go away. Manjaro-architect is included on all isos, and it is much more pleasant to use on a desktop system anyway.
@oberon, I think it would be a good idea to rebuild manjaro-architect iso, even without testing, when a new of official isos is made. It would avoid unnecessary issues like this. Or if we setup build automation for isos at some point, let’s include manjaro-architect with it?