Unable to update manjaro due to corrupt or PGP trust issues

I am somewhat new to Manjaro. Used Ubuntu for a while but then switched to Linux Mint and been using it for years on many computers. One thing I don't like about Mint is that every now and then you have to upgrade from say 18.3 to 19.0 or something and sometimes that does break things. I like that Manjaro remains stable and in theory all you have to do is update it every now and then (no major version upgrades). So I have been trying Manjaro (XFCE 64) and also recommended it to some of my friends who also liked it.

However, I have one virtual instance of Manjaro, which was completely clean, and I did not turn it on for like six plus months maybe. and when I did, it detected a number of updates, started downloading them etc. However, it failed to install any updates, saying that some of the files are corrupt or the pgp signature is not trusted. It removed and downloaded the files, same error.

It took me some Googling and going through about half a dozen pages trying various commands before finally getting the update working again (it is now on 18.0.4). If you google it, this does not seem to be an uncommon problem and there is no single clear post about what to do when this happens. Resolving this was not trivial and unsettling, especially since it was a clean machine, default install, no extra or external software added!

Here is one example:


(cant recall which one finally worked).
And there are many similar pages!

Now Linux Mint is not perfect, I have had a few "broken package" issues where you have to run the synaptic package manager to fix them.

But is this something that periodically happens with Manjaro? Updates are linked to package maintainers and if just one of them forgets to renew their PGP signatures and you dont update frequently enough, then updates get broken this way? So if you dont update frequently enough, you have this happen? I am just trying to understand it, because I can tell you the other people to whom I am recommending Linux are not going to be able to fix this and it would turn me off Manjaro for sure as well.

Any thoughts?

1 Like

Manjaro is a rolling release distro and you should do regular updates and not wait 6 months. However, there is a FAQ section and an entry about your exact problem:

AUR package fails to verify PGP/GPG key: “unknown public key”, “One or more PGP signatures could not be verified!”

Frequently Asked Questions

faq

You can find a lot of discussions on the internet about pro and cons of a rolling release. My advice would be, think about what requirements you have and choose your distro accordingly. If not updating for several weeks or months is one of the requirements, I would not recommend any rolling distro.

4 Likes

Yes. You have to keep packages updated. If not you'll have to jump through hoops, just as if you installed Ubuntu 10.04 and tried to do-release-upgrade up to 19.04.

The specific FAQ thread is here and the solution is actually pretty trivial:

This topic has also been discussed several times on both Manjaro and Arch forums. Rolling-release distros are only suitable for people who want to keep their system up-to-date. You can't have both cutting-edge software versions and maintain software version stability at the same time.

2 Likes

There is no option to automatically update manjaro is there (other than scheduling a cron job)? I think Linux Mint 19 added such an option in their update GUI tool.

It would be nice if the advice in that post could be made part of the update tool, so that if it fails it can point you at such a page? Because otherwise, there are lots of other pages with complex instructions some of which do not always work so well.

Correct, and for good reason. Manjaro is not a "fire-and-forget" OS.

That's why there is a #faq section on the forum as well as wiki.manjaro.org and wiki.archlinux.org