Corrupted package during install

Hello,
I am currently trying to install Manjaro via Architect with KDE Minimal. But I will always get an error message while downloading all packages that package “confuse 3.3-2” is corrupted.


downloading lib32-libcanberra-pulse-0.30+2+gc0620e4-3-x86_64.pkg.tar.zst…
checking keyring…
checking package integrity…
error: confuse: signature from “Baptiste Jonglez baptiste@bitsofnetworks.org” is marginal trust
:: File /mnt/var/cache/pacman/pkg/confuse-3.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] error: failed to commit transaction (invalid or corrupted package)

Errors occurred, no packages were upgraded.
==> ERROR: Failed to install packages to new root

I have tried to only use mirrors near me or all mirrors which are normally included.
Other packages are downloaded with any problems.

I tried everything from the forum search. update keyring etc. but this had not solved anything. Is it possible that the package is currently really corrupted? How can I solve this?

Edit:
Solved it by editing /etc/pacman.conf
#SigLevel = Required DatabaseOptional
SigLevel = Optional TrustAll

But this does not feel like a good solution. Your ideas are still welcome.

Thanks

After the install, I have tried to reinstall “confuse” and I will still get the same error.
“pamac reinstall confuse”

The system is fully up to date. Other software do not show any problems with installing updating.

I’m facing the exact same issue, and, like you, I’d prefer a different solution than to trust all. So, here’s hoping that someone can come up with a proper solution :slight_smile:

To add to what you already wrote: I tried refreshing the pacman keys in architect, and that didn’t solve it, unfortunately.

I also tried to follow the post here: Issues with "signature is marginal trust" or "invalid or corrupted package" - Frequently Asked Questions - Manjaro Linux Forum - but that didn’t resolve it either.

Great that I am not alone with this. It lowers the chance that this is completely my fault ^^

Issue is still ongoing. I have updated everything like in the URL mentioned in the post before, but during reinstall I will get the same error.

Is it possible that there is really a problem with the key of that developer?

No, it does not seem like a good solution. It’s an insecure workaround. No feelings involved. :wink:

Nope. His current key doesn’t expire until 2022.

I just installed confuse 3.3-2 just fine.

With the same package?

yes, same package and also installing from architect. My iso was manjaro-kde-20.2-201207-linux59.iso

Can I provide other information?
[EDIT: I’ll do another run and save the logfile]

Seems Architect doesn’t update keyrings …

Well, I think I tried to do that manually, based on the post I linked to earlier, but I’ll try again tomorrow. Or doesn’t that post describe what Architect should be doing?

I just tried that, and after a lengthy download and it failling again, I quit, asked for the log to be copied, the logfile was said to be copied to /mnt/somethingsomething, but it’s nowhere to be found, so that too I’ll try again tomorrow.

Have tried to update keys, before installing, both in architect and from terminal while running and not running architect.
I have tried the following commands:

sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro

sudo pacman-key --refresh-keys

Not automatically but it does have an option for it. But that doesn’t seem to help for some reason.

Hey guys,

I saw this error too.

Here is how I resolved it without trusting all pkgs.

Do a:
pacman-key -l

that will give you a list of keys on your machine.

Search through the terminal using the search button for ‘Baptiste’(the person who’s key is throwing errors)

Copy the long key that is there:
pub rsa4096 2015-02-08 [SC] [expires: 2022-05-18] BFA1ECFEF1524EE4099CDE971F0CD4921ECAA030 uid [ full ] Baptiste Jonglez <baptiste@bitsofnetworks.org> uid [ full ] Baptiste Jonglez <baptiste@jonglez.org> sub rsa4096 2015-02-08 [E] [expires: 2022-05-18] sub rsa4096 2015-02-08 [S] [expires: 2022-05-18]

Copy the long ass key.

And then simply do:
pacman-key --lsign-key *keyid(the one you copied)*

Here are the docs for ref:
Arch Docs: Adding unofficial keys

Then, Install your Desktop through Manjaro-Architect again and you should be good to go.

PS - It signs the key locally and set the trust for that person to full.

3 Likes

When I try to install xfce full version by Architect, after download packages and check conflicts show message that signature from Baptiste Jonglez is bad (PGP). After this communicate installation has been cancel.

I was having the exact error with a fresh architect install. I executed your steps and I was then able to install. Thanks for sharing :grinning:

Strangely, I had used the same iso to install a few days earlier (on 24th December I think) and did not have this issue.

Whilst that would allow me to install, I think that too is not really resolving the issue. It is still bypassing the normal trustchain, I believe, which I think is undesirable. Then again, so is not being able to install :slight_smile:

However, I think its better for me to wait until it is addressed somewhere in the provided key(chain) or the related packages.

Just a side note to make it easy to find, when searching for it in the terminal:
pacman-key -l | grep -EC3 "Baptiste Jonglez"

1 Like

How insecure is it when I download only “confuse” package with “SigLevel = Optional TrustAll” during install. In the installed system the SigLevel is back to normal.

What is the worst what that could happen? Malware in this exact package?

sudo pacman-key --refresh-keys
...
gpg: key 1F0CD4921ECAA030: "Baptiste Jonglez <baptiste@bitsofnetworks.org>" 2 signatures cleaned
pacman-key -l | grep -EC3 "Baptiste Jonglez"
gpg: Note: trustdb not writable

pub   rsa4096 2015-02-08 [SC] [expires: 2022-05-18]
      BFA1ECFEF1524EE4099CDE971F0CD4921ECAA030
uid           [marginal] Baptiste Jonglez <baptiste@bitsofnetworks.org>
uid           [marginal] Baptiste Jonglez <baptiste@jonglez.org>
sub   rsa4096 2015-02-08 [E] [expires: 2022-05-18]
sub   rsa4096 2015-02-08 [S] [expires: 2022-05-18

This error is currently stopping me from doing a fresh installation on my computer.

Can I provide other information that might help solving this?

As a temporary workaround, it’s fine. Leaving it that way is not.

Warning: The SigLevel TrustAll option exists for debugging purposes and makes it very easy to trust keys that have not been verified. You should use TrustedOnly for all official repositories.

https://wiki.archlinux.org/index.php/Pacman/Package_signing

Not sure yet. Perhaps @Chrysostomus could fill in here when he has time.

Whats the current date/time on your machine?
Just type date in the terminal.

Tested now on virtualbox. Cannot reproduce the issue. My guess is that you were using the manjaro-architect iso, which is two releases behind the rest of the isos, because it has not been rebuilt for some reason. Just use a more recent iso like gnome or kde, and the problem should go away. Manjaro-architect is included on all isos, and it is much more pleasant to use on a desktop system anyway.

@oberon, I think it would be a good idea to rebuild manjaro-architect iso, even without testing, when a new of official isos is made. It would avoid unnecessary issues like this. Or if we setup build automation for isos at some point, let’s include manjaro-architect with it?

1 Like

I had the error with the KDE image, as stated above. Ill try again tomorrow, both in VM and on real hardware.