Signature from "Antonio Rojas <arojas@archlinux.org>" is invalid


#1

Hi folks,

recently I got stuck on update.

sudo pacman -Syyu always stops when checking package integrity with the error message signature from "Antonio Rojas <arojas@archlinux.org>" is invalid.

I already followed the steps to update my package signing keys:
sudo pacman -Sy archlinux-keyring manjaro-keyring
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys

Since this didn’t helped I took these steps several times:

My system time is correct and gets update via ntp. I even deleted the key of Antonio Rojas with sudo pacman-key -d 9D74DF6F91B7BDABD5815CA84AC5588F941C2A25. As expected, the next try to update discovered the missing key, and asked to download it.

(187/187) checking keys in keyring [################################################] 100%
downloading required keys...
:: Import PGP key 4096R/9D74DF6F91B7BDABD5815CA84AC5588F941C2A25, "Antonio Rojas <arojas@us.es>", created: 2014-10-21? [Y/n] y
(187/187) checking package integrity [################################################] 100%
error: oxygen-icons: signature from "Antonio Rojas <arojas@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/oxygen-icons-1:5.40.0-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

I’m at a loss now. The key seems to be correct and valid. I also cleared pacmans cache, in case the package wasn’t downloaded correct or something. Any ideas anyone?


#2

Different key?


#3

Okay. Try checking the sig file from oxygen-icons-1:5.40.0-1-any.pkg.tar.xz we need to see if that file was signed by antonio rojas

Install that package as the usual. When on that prompt, press N to deny removing. Then run :

gpg /var/cache/pacman/pkg/oxygen-icons-1:5.40.0-1-any.pkg.tar.xz.sig

and paste the result

Same key :

~/.../artix/world >>> pacman-key --list-keys antonio roja
sgpg: Note: trustdb not writable
pub   rsa4096 2014-10-21 [SC]
      9D74DF6F91B7BDABD5815CA84AC5588F941C2A25
uid           [  full  ] Antonio Rojas <arojas@archlinux.org>
uid           [  full  ] Antonio Rojas <arojas@us.es>
uid           [  full  ] Antonio Rojas <nqn1976@gmail.com>
uid           [  full  ] Antonio Rojas <nqn76sw@gmail.com>
sub   rsa2048 2014-11-07 [S]
sub   rsa2048 2014-11-07 [E]

#4

Just realized pacman doesn’t download the sig as well. So I went on checking the sig file using mirror from http://manjaro.melbourneitmirror.net/ (from stable branch)

gpg oxygen-icons-1_5.40.0-1-any.pkg.tar.xz.sig
gpg: Signature made Sat 11 Nov 2017 07:47:50 PM WITA
gpg:                using RSA key 1519D5ABA65BF6FC2B73C7567A4E76095D8A52E4
gpg: Good signature from "Antonio Rojas <arojas@archlinux.org>"
gpg:                 aka "Antonio Rojas <arojas@us.es>"
gpg:                 aka "Antonio Rojas <nqn1976@gmail.com>"
gpg:                 aka "Antonio Rojas <nqn76sw@gmail.com>"
Primary key fingerprint: 9D74 DF6F 91B7 BDAB D581  5CA8 4AC5 588F 941C 2A25
     Subkey fingerprint: 1519 D5AB A65B F6FC 2B73  C756 7A4E 7609 5D8A 52E4

So the package was indeed was signed by antonio rojas itself in good state and I manage to install it just fine. Please check if the key was properly configured and your time is properly corrected :

Check the key was signed properly :

pacman-key --list-keys rojas

If it’s not refresh that key :

sudo pacman-key --refresh-keys rojas

And make sure the time was set correctly
You can try by running ntpd -qg run as root, then run hwclock -w as root

https://wiki.archlinux.org/index.php/Pacman#Signature_from_.22User_.3Cemail.40archlinux.org.3E.22_is_invalid.2C_installation_failed


#5

Thanks for your effort.

As you said, the sig seems not to be there:

sudo gpg /var/cache/pacman/pkg/oxygen-icons-1:5.40.0-1-any.pkg.tar.xz.sig
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: can't open '/var/cache/pacman/pkg/oxygen-icons-1:5.40.0-1-any.pkg.tar.xz.sig'

Rojas Key seems to be good:

sudo pacman-key --list-keys rojas
pub   rsa4096 2014-10-21 [SC]
  9D74DF6F91B7BDABD5815CA84AC5588F941C2A25
uid           [  full  ] Antonio Rojas <arojas@archlinux.org>
uid           [  full  ] Antonio Rojas <arojas@us.es>
uid           [  full  ] Antonio Rojas <nqn1976@gmail.com>
uid           [  full  ] Antonio Rojas <nqn76sw@gmail.com>
sub   rsa2048 2014-11-07 [S]
sub   rsa2048 2014-11-07 [E]

Nevertheless, I tried to update it:

sudo pacman-key --refresh-keys rojas
gpg: refreshing 1 key from hkp://pool.sks-keyservers.net
gpg: key 4AC5588F941C2A25: "Antonio Rojas <arojas@archlinux.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Now, the ntpd command produced something weird:

sudo ntpd -qg
25 Nov 15:08:24 ntpd[6146]: ntpd 4.2.8p10@1.3728-o Mon Apr 24 18:57:17 UTC 2017 (1): Starting
25 Nov 15:08:24 ntpd[6146]: Command line: ntpd -qg
25 Nov 15:08:24 ntpd[6146]: proto: precision = 0.165 usec (-22)
25 Nov 15:08:24 ntpd[6146]: unable to bind to wildcard address :: - another process may be running - EXITING

It tells me something from a time yesterday, 24th april. Don’t know what this means. But hwclock is sure, that everything is fine and tells the exact time at that moment:

sudo hwclock -r
2017-11-25 15:11:34.468132+0100

hwclock -w produces no output.

So now, any more ideas? I really don’t want to install any packages without signature test.


closed #6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.