Why do I need to update my "package signing keys?"


#1

There is a message at the top of the forum alerting users that they might be having some issues.

I’ve had a clean install of Manjaro for almost a year now and have been updating promptly whenever they’ve been available. I’m just curious then how can I possibly have “corrupted” my install to have warnings of invalid or corrupted packages?

Is it something that I did incorrectly?

Or if this is a form of “aging” the distro experiences, surely it should be fixed?

I seem to run into this problem at least once a month for the past 5 or so months…and it really is kind of annoying.

If its something I’m doing wrong, can someone please explain it to me so I avoid doing it?


#2

https://wiki.archlinux.org/index.php/Pacman/Package_signing


#3

Right absolutely, but the questions is why do I need to reauthenticate them? Shouldn’t they have been set by default when I installed the OS?


#4

If the source of your installation is 3 days old, and in those 3 days there where few GnuPG keys revoked or renewed, during the update of your system those will be modified/updated/rewritten …


#5

Oh ok…then shouldn’t there be a script that runs by default and does the following commands whenever you update your system:

sudo pacman -Sy archlinux-keyring manjaro-keyring
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys

That just seems to make sense to me


#6

On my end i never had to manually update the keys because the update process did it for me … Always :slight_smile:


#7

This should happen automatically as part of an update, if the arch or manjaro keyring package has changed.

A small snapshot from my pacman log you can see this happens fairly regularly.

[2018-01-10] [ALPM] upgraded archlinux-keyring (20171213-1 -> 20180108-1)
[2018-01-10] [ALPM-SCRIPTLET] ==> Locally signing trusted keys in keyring...
[2018-01-10] [ALPM-SCRIPTLET] ==> Disabling revoked keys in keyring...
...
[2018-03-08] [ALPM] upgraded archlinux-keyring (20180108-1 -> 20180302-1)
[2018-03-08] [ALPM-SCRIPTLET] ==> Locally signing trusted keys in keyring...
[2018-03-08] [ALPM-SCRIPTLET] ==> Disabling revoked keys in keyring...
...
[2018-03-23] [ALPM] upgraded archlinux-keyring (20180302-1 -> 20180322-1)
[2018-03-23] [ALPM-SCRIPTLET] ==> Locally signing trusted keys in keyring...
[2018-03-23] [ALPM-SCRIPTLET] ==> Disabling revoked keys in keyring...
...
[2018-04-07] [ALPM] upgraded archlinux-keyring (20180322-1 -> 20180404-1)
[2018-04-07] [ALPM-SCRIPTLET] ==> Locally signing trusted keys in keyring...
[2018-04-07] [ALPM-SCRIPTLET] ==> Disabling revoked keys in keyring...
...
[2018-04-17] [ALPM] upgraded manjaro-keyring (20171027-1 -> 20171027-2)
[2018-04-17] [ALPM-SCRIPTLET] ==> Locally signing trusted keys in keyring...
[2018-04-17] [ALPM-SCRIPTLET] ==> Disabling revoked keys in keyring...
...

FWIW I always updated from the console, never using a GUI tool like Octopi or Pamac.

Are your packages updating but not being applied? Check your own pacman log to confirm …

cat /var/log/pacman.log | grep keyring

#8

Which problem?

You won’t see this in normal use. There was a time a few months back where many (many) people who hadn’t updated their system regularly hit issues with package keys.

It’s also a common issue with AUR packages, and the topic comes up enough times to justify leaving the banner topic in place even though it is “old”.


#9

I mean your advice to only use the terminal is…valid I guess, but then why have gui tools at all?

Surely this should be a sign to improve tools like Octopi and Pamac so that users who rely on those tools shouldn’t run into troulbe like this.

Or if that’s too difficult, then they shouldn’t be included at all, and Manjaro’s readme should explicitly say to use only the terminal for updates.


#10

The problem referring to warnings of invalid or corrupted packages.

But that’s the case, I update my system whenvever they become available. I mean I coudl sort of understand that if I would only run updates once a month or something, then things are bound to go wrong…but that’s not the case with me.

I’m just frustrated that despite running updates promptly, I’m still getting these messages


#11

You get these warnings during an update? Or you see the banner topic every so often after dismissing it?

The only reasons you’d regularly get warnings during an update is if you’ve got a poorly-maintained AUR package installed or if your downloads are being corrupted (or are signed by an old key, in which case pacman -Scc to clear your package cache).


#12

I get these warnings during updates (why would the banner topic be upsetting :slight_smile: )

I’m not running that much from the AUR. The only thing which I’ve installed are drivers for my printer (which haven’t been updated since I installed them) and TOR (whcih updates just fine and I haven’t had any problems with its keys since I first installed it). So I doubt the AUR is the culprit with me.


#13

Honestly, people get annoyed with all sorts of things and I’ve learned never to assume anything. :wink:

If you post the specific error/warning/message when it occurs this will allow better diagnosis. Anything else at this point is going to just be guesses…


#14

Yeah that is true about people getting annoyed at random things; and with Ikey of Solus severely minimizing his online presence, I’ve sort of become aware that while from my point of view the sentiment is: why won’t this thing work the way its supposed to, did I do something stupid?

For some people, it may seem like: why is your project such a piece of crap. Fix it NOW!!!

The latter is definitely not my intent…I’m just frustrated at something not working despite my best efforts.

I’ll take a screenshot the next time it happens…and perhaps it might be easier to diagnose it next time.

I just ran the command before running the recent round of updates, so it’ll probably take another month or so before I see it again.


#15

If you refer to this post and see one suggest to update signing keys. (the same commands you posted above)

It actually isn’t a problem about signing keys. It’s a package js52 which have a untracked file. This has be patched, you only need to sync to an updated mirror.

Basically key update is automated within the full system update. You could ‘corrupt’ it in cases it’s not synced correctly/fully.


#16

The GUI tools are fine for general package management tasks … searching for packages, view individual package details (ie dependencies), installing packages, removing packages, managing your package cache, AUR package search and install, AUR package notifications and updates, etc.

System updates sometimes require the user confirmation for certain packages included, which can cause an update to fail using a GUI tool. Given that stable updates are much larger than unstable or testing branch updates, there is more chance this will occur.

Most important is if something goes wrong you have output text detailing what went wrong. Remember that system updates are simply a collection of individual package updates, the larger the update the more chance something will require your attention afterwards.

Maintaining a rolling release system is more than just blindly applying updates, if you want your system to stay healthy long term … but there are other threads on this topic, so I’ll stop.

Also, ignoring warning messages is probably not the best idea. If you have no idea what they mean create a thread and someone will help determine if they are benign or not.

My 2c anyway …


#17

I think that is the best explanation of proper package Management I’ve ever read. It should be on the Wiki, but sadly the people that need this advise the most never read the Wiki.

The only thing it’s missing is an explanation of using the TTY for potentially problematic updates. I’m starting to do that far more often these days. Guess I’m just getting more cautious as I get older.


#18

Like systemd updates … this has gone pear shaped before.


#19

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.