Various issues relating to the download and installation of software packages from the Manjaro repositories are dealt with here.
«Unrecognized archive format» Error
It has ocurred more than once, an update is issuing these messages in a seemingly never ending stream.
Pacman could not open file: sync files
error: could not open file /var/lib/pacman/sync/core.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/extra.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/community.db: Unrecognized archive format error: could not open file /var/lib/pacman/sync/multilib.db: Unrecognized archive format
The error relates to a mismatch in the information contained in the db files at the mentioned location and the db files at the first mirror in your mirrorlist. Pacman checks a package in the database and sees if the signature file matches the one in the database. If it does not, then pacman will say the package is corrupted.
While it sometimes is possible to fix the issue simply by deleting the files and the running a pacman update it far from every time.
One recipe for fixing this
It is mandatory to ensure that the keyrings is current. By ensuring the keyrings are in shape and then redownloading the databases we reestablish the chain of trust between the keyrings and the packages.
You will have to find the correct names by looking at
Browse https://mirror.easyname.at/manjaro/pool/overlay/ for the current manjaro-keyring
and
Browse https://mirror.easyname.at/manjaro/pool/sync for the current archlinux-keyring
Replace yyyymmdd and x with the info found at the above links
user $ sudo pacman -U https://mirror.easyname.at/manjaro/pool/overlay/manjaro-keyring-yyyymmdd-x-any.pkg.tar.xz COPY TO CLIPBOARD
user $ sudo pacman -U https://mirror.easyname.at/manjaro/pool/sync/archlinux-keyring-yyyymmdd-x-any.pkg.tar.xz COPY TO CLIPBOARD
Remove your faulty databases
user $ sudo rm -f /var/lib/pacman/sync/* COPY TO CLIPBOARD
Download the databases and update the system
user $ sudo pacman -Syyu COPY TO CLIPBOARD
«Unable to lock database» Error
When downloading and installing software from the repositories, a special database lock file will be created in order to ensure that the current installation process is the only one running at that time. Otherwise, attempting to install multiple files from multiple sources simultaneously may corrupt the downloaded files, cause file conflicts — or worse still — damage your system. Once the installation has been completed, the lock file will then be automatically deleted. This error may therefore occur due to two possible reasons:
- Another installation is still taking place and has not yet finished, or
- A previous installation attempt had not finished properly (e.g. due to being aborted early)
It is therefore wise to first check to ensure that another installation is not (or had not been) in process at the time of the error. When satisfied that this is not the case, then the database lock file can be manually deleted. To do so, open up the terminal and enter the following command:
user $ sudo rm /var/lib/pacman/db.lck COPY TO CLIPBOARD
Once done, you should now be able to successfully re-attempt your intended installation.
Errors about Keys
We all have our own unique signatures which are used to authenticate who we are and to prevent fraudulent or even malicious activities by others. This is also the case with software packages available from the software repositories. They all contain encrypted codes (signature keys) unique to their developers to ensure that they are authentic and not malicious in nature.
During the installation process, once any software packages have been downloaded, your system will first check their signature keys to ensure that they are authentic prior to actually installing them. If a signature key cannot be verified for any reason, then the installation process will be aborted. This problem will usually occur due to:
- one or more signature keys contained in your system’s database being revoked, changed, corrupted, or out of date
- one or more software packages not having been signed off properly when placed in a repository
Where a package has not been signed off properly before being placed in a repository, it will be the responsibility of the developer(s) to correct this. However, as this problem will be more than likely due to a problem with your system’s verification of a signiture key, this can be solved in three easy steps. Working net connection is required. Once you have opened your terminal:
Warning
The following commands only work, when your system time is set correctly!
1. Remove old (and possibly broken) keys by entering this command:
user $ sudo rm -r /etc/pacman.d/gnupg COPY TO CLIPBOARD
2. Reinstall keyrings including the latest keys:
user $ sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring COPY TO CLIPBOARD
3. Initialize the pacman keyring:
user $ sudo pacman-key —init COPY TO CLIPBOARD
4. Load the signature keys:
user $ sudo pacman-key —populate archlinux manjaro COPY TO CLIPBOARD
5. Refresh and update the signature keys:
user $ sudo pacman-key —refresh-keys COPY TO CLIPBOARD
6. Clear out the software packages downloaded during the aborted installation (optional):
user $ sudo pacman -Sc COPY TO CLIPBOARD
Info
Improved version added, since it doesn’t work that way above. The packages are signed and since /etc/pacman.d/gnupg has been removed, it cannot be installed due the check. Instead editing the /etc/pacman.conf and lowering the SigLevel, it would be better installing the keyrings without a check manually to overcome this problem.
1. Remove old (and possibly broken) keys by entering this command:
user $ sudo rm -r /etc/pacman.d/gnupg COPY TO CLIPBOARD
2. Initialize the pacman keyring:
user $ sudo pacman-key —init COPY TO CLIPBOARD
3. Download the packages:
Info
GPG check errors can be ignored, since it only downloads the keyring packages.
Those running ARM may also need to download archlinuxarm-keyring and manjaro-arm-keyring.
user $ mkdir -pv $HOME/.cache/pkg/ && sudo pacman -Syw archlinux-keyring manjaro-keyring —cachedir $HOME/.cache/pkg/ COPY TO CLIPBOARD
4. Remove the signatures:
Info
Signatures must be removed to avoid the automatic check of the packages.
user $ rm -f $HOME/.cache/pkg/*.sig COPY TO CLIPBOARD
5. Install the downloaded packages manually:
Info
This will also trigger the populate process.
user $ sudo pacman -U $HOME/.cache/pkg/*.tar.zst COPY TO CLIPBOARD
user $ sudo pacman -U $HOME/.cache/pkg/*.tar.xz COPY TO CLIPBOARD
6. Clear out the software packages downloaded during the aborted installation (optional):
Warning
The above command clears the pacman cache completely, and one will not be able to downgrade to a previous version of a package if required. Instead packages that are causing signing errors can be removed individually when upgrading.
user $ sudo pacman -Sc COPY TO CLIPBOARD
7. Remove the custom package folder: (optional):
user $ sudo rm -Rf $HOME/.cache/pkg/ COPY TO CLIPBOARD
After that try running sudo pacman -Syu to see if the errors were resolved.
Conflicting files — FILENAME exists in filesystem
If you cant can’t install or update a package because of an error like this:
error: could not prepare transaction error: failed to commit transaction (conflicting files) libname: /insert/file/name/here exists in filesystem Errors occurred, no packages were upgraded.
Then the package manager, pacman, has detected an unexpected file that already exists on the disk.
Why is this happening?
By design pacman will not overwrite files that already exist. This is a design feature, not a flaw — package managers are designed to keep track of installed files.
This issue normally happens because you’ve manually added, copied, or created a file. It can also happen when you install software using a downloaded executable, run a make install, or use a third-party package system such as conda. It also occurs when you install an AUR package which installs files that conflict with a repo package.
When using a third-party installer you should always specify an alternative installation location, such as under your home directory, or under /opt or /usr/local/. Never install directly under / or /usr.
How can I fix this?
The first step is to identify which, if any, package owns the file. This can be easily done with:
user $ pacman -Qo /path/to/file COPY TO CLIPBOARD
If this identifies a conflicting package you can decide to remove it with pacman -R. If no package is identified you can delete the file (or move it to a backup location).
Where can I read more?
This post was inspired by (and adapted from):
https://wiki.archlinux.org/title/Pacman#%22Failed_to_commit_transaction_(conflicting_files)%22_error
The above post also has links to further reading.
«Configuration file…not recognized» Error
Manjaro’s package manager — pacman — uses a file called mirrorlist to tell it the internet addresses of the Manjaro servers in order to download updates and software applications from them. This error will therefore occur if one or more server addresses contained in the mirrorlist file have not been listed properly, resulting in pacman being unable to connect to them. Another tell-tale sign is that this problem will also be encountered immediately after:
- Installing Manjaro and editing the mirrorlist file during installation, or
- Editing the mirrorlist file at a later time.
See the Change to a Different Download Server guide for more detailed information on how to correctly select and enable another Manjaro server for downloading.
«GPGME error: No data» Error
The most likely cause of this issue is that an error or corruption has been detected by pacman in one or more software packages being downloaded. Package signatures and checksums are used to verify the validity of downloaded software, and should they fail, the installation attempt will be aborted to protect your system until the matter is resolved.
Option 1: Basic Resolution
To resolve this issue, first follow the basic procedure provided below. If this does not work, then there is a more comprehensive procedure available.
1. Download the package databases and update your system:
user $ sudo pacman -Syyu COPY TO CLIPBOARD
2. Clear out the software packages downloaded during the aborted installation by entering the command:
user $ sudo pacman -Sc COPY TO CLIPBOARD
3. Re-attempt the aborted download.
Option 2: Comprehensive Resolution
If the basic proceedure still does not resolve the matter, further steps are available:
1. Resynchronise with the Manjaro servers to ensure that everything is up to date by entering the command:
user $ sudo pacman -Syy COPY TO CLIPBOARD
2. Refresh and update the signature keys by entering the command:
user $ sudo pacman-key —refresh-keys COPY TO CLIPBOARD
3. Reload the signature keys by entering the command:
user $ sudo pacman-key —populate archlinux manjaro COPY TO CLIPBOARD
4. Clear out the software packages downloaded during the aborted installation by entering the command:
user $ sudo pacman -Sc COPY TO CLIPBOARD
5. Re-attempt the aborted download.
If the error still persists, then it is recommended to Change to a Different Download Server.
«keyserver refresh failed: No dirmngr» Error
Try running the following command:
user $ sudo dirmngr </dev/null COPY TO CLIPBOARD
To determine if packages are authentic, pacman uses GnuPG keys in a web of trust model. The current Master Signing Keys are found here. At least three of these Master Signing Keys are used to sign the Developer’s and Trusted User’s own keys. They are then used to sign their packages. Each user also has a unique PGP key, which is generated when you configure pacman-key. It is this web of trust that links the user’s key to the master keys.
Examples of webs of trust:
- Custom packages: Packages made and signed with a local key.
- Unofficial packages: Packages made and signed by a developer. Then, a local key was used to sign the developer’s key.
- Official packages: Packages made and signed by a developer. The developer’s key was signed by the Arch Linux master keys. You used your key to sign the master keys, and you trust them to vouch for developers.
Note: The HKP protocol uses 11371/tcp for communication. In order to get the signed keys from the servers (using pacman-key), this port is required for communication.
Setup
Configuring pacman
The SigLevel option in /etc/pacman.conf determines the level of trust required to install a package with pacman -S. For a detailed explanation of SigLevel, see pacman.conf(5) § PACKAGE AND DATABASE SIGNATURE CHECKING, and the file comments. One can set signature checking globally, or per repository. If SigLevel is set globally in the [options] section, all packages installed with pacman -S will require signing. With the LocalFileSigLevel setting from the default pacman.conf, any packages you build, and install with pacman -U, will not need to be signed using makepkg.
Note: Although all official packages are now signed, as of November 2018 signing of the databases is a work in progress. If Required is set then DatabaseOptional should also be set.
For remote packages, the default configuration will only support the installation of packages signed by trusted keys:
/etc/pacman.conf
SigLevel = Required DatabaseOptional
TrustedOnly is a default compiled-in pacman parameter. The default configuration is identical to using the global option of:
SigLevel = Required DatabaseOptional TrustedOnly
The above can be achieved too on a repository level further below in the configuration, e.g.:
[core] SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist
explicitly adds signature checking for the packages of the repository, but does not require the database to be signed. Optional here would turn off a global Required for this repository.
Warning: The SigLevel TrustAll option exists for debugging purposes and makes it very easy to trust keys that have not been verified. You should use TrustedOnly for all official repositories.
Initializing the keyring
To initialize the pacman keyring run:
# pacman-key --init
Initializing the keyring requires entropy. To generate entropy, move your mouse around, press random characters on the keyboard, or run some disk-based activity (for example in another console running ls -R / or find / -name foo or dd if=/dev/sda8 of=/dev/tty7). If your system does not already have sufficient entropy, this step may take hours; if you actively generate entropy, it will complete much more quickly.
The randomness created is used to initialize the keyring (/etc/pacman.d/gnupg) and the GPG signing key of your system.
Note: If you need to run pacman-key --init on a computer that does not generate much entropy (e.g. a headless server), key generation may take a very long time. To generate pseudo-entropy, install either haveged or rng-tools on the target machine and start the corresponding service before running pacman-key --init.
Managing the keyring
Verifying the master keys
The initial setup of keys is achieved using:
# pacman-key --populate
Take time to verify the Master Signing Keys when prompted as these are used to co-sign (and therefore trust) all other packager’s keys.
PGP keys are too large (2048 bits or more) for humans to work with, so they are usually hashed to create a 40-hex-digit fingerprint which can be used to check by hand that two keys are the same. The last eight digits of the fingerprint serve as a name for the key known as the ‘(short) key ID’ (the last sixteen digits of the fingerprint would be the ‘long key ID’).
Adding developer keys
The official developer and Trusted Users (TU) keys are signed by the master keys, so you do not need to use pacman-key to sign them yourself. Whenever pacman encounters a key it does not recognize, it will prompt you to download it from a keyserver configured in /etc/pacman.d/gnupg/gpg.conf (or by using the --keyserver option on the command line). Wikipedia maintains a list of keyservers.
Once you have downloaded a developer key, you will not have to download it again, and it can be used to verify any other packages signed by that developer.
Note: The archlinux-keyring package, which is a dependency of pacman, contains the latest keys. However keys can also be updated manually using pacman-key --refresh-keys (as root). While doing --refresh-keys, your local key will also be looked up on the remote keyserver, and you will receive a message about it not being found. This is nothing to be concerned about.
Adding unofficial keys
This article or section needs expansion.
This method can be utilized to add a key to the pacman keyring, or to enable signed unofficial user repositories.
First, get the key ID (keyid) from its owner. Then add it to the keyring using one of the two methods:
- If the key is found on a keyserver, import it with:
# pacman-key --recv-keys keyid
- If otherwise a link to a keyfile is provided, download it and then run:
# pacman-key --add /path/to/downloaded/keyfile
It is recommended to verify the fingerprint, as with any master key or any other key you are going to sign:
$ pacman-key --finger keyid
Finally, you must locally sign the imported key:
# pacman-key --lsign-key keyid
You now trust this key to sign packages.
Debugging with gpg
For debugging purposes, you can access pacman’s keyring directly with gpg, e.g.:
# gpg --homedir /etc/pacman.d/gnupg --list-keys
Tips and tricks
Upgrade system regularly
Upgrading the system regularly via pacman#Upgrading packages prevents most signing errors. If delay is unavoidable and system upgrade gets delayed for an extended period, manually sync the package database and upgrade the archlinux-keyring package before system upgrade:
# pacman -Sy archlinux-keyring && pacman -Su
This command is not considered a partial upgrade since it syncs the package database and upgrades the keyring package first. Both must be processed just before starting system upgrade to ensure signatures of all upgraded packages can be properly verified.
Update system time regularly
When the system time is faulty, signing keys could be considered expired (or invalid) and signature checks on packages will fail. Synchronize the system clock regularly by using the Network Time Protocol daemon.
Troubleshooting
Invalid signature errors
pacman-key depends on system time. If your system clock is not synchronized, system installation/upgrade may fail with:
error: PackageName: signature from "User <email@archlinux.org>" is invalid error: failed to commit transaction (invalid or corrupted package (PGP signature)) Errors occurred, no packages were upgraded.
If using ntpd, correct the system time (as root) with ntpd -qg followed by hwclock -w.
Other NTP clients can be used. See time synchronization.
If correction of the system clock does not resolve the failure, try one of the following approaches:
Removing packages from cache
Some packages could be corrupted or may be unsigned, causing failure. Remove each offending package from the system cache rm /var/cache/pacman/pkg/pkgname so it gets freshly downloaded, or clear the entire cache.
Resetting all the keys
Remove or reset all the keys installed in your system by removing the /etc/pacman.d/gnupg directory (as root) and by rerunning pacman-key --init followed by pacman-key --populate to re-add the default keys.
Disabling signature checking
Warning: Use with caution. Disabling package signing will allow pacman to install untrusted packages.
If you are not concerned about package signing, you can disable PGP signature checking completely. Edit /etc/pacman.conf to have the following lines under [options]:
SigLevel = Never #LocalFileSigLevel = Optional #RemoteFileSigLevel = Required
You need to comment out any repository-specific SigLevel settings because they override the global settings. This will result in no signature checking, which was the behavior before pacman 4. If you do this, you do not need to set up a keyring with pacman-key. You can change those options later if you decide to enable package verification.
Cannot import keys
This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.
Reason: Instructions could be clearer. Not clear how this section is different from the preceding one. Redundant information. (Discuss in Talk:Pacman/Package signing)
There are multiple possible sources of this problem:
- An outdated archlinux-keyring package.
- The clock being set to an incorrect date.
- Your ISP blocked the port used to import PGP keys.
- Your pacman cache contains copies of unsigned packages from previous attempts.
dirmngris not correctly configured.
You might be stuck because of an outdated archlinux-keyring package when doing an upgrade synchronization.
Below are a few solutions that could work depending on your case.
Upgrade the system
See if upgrading the system can fix it first.
Change keyserver
If you suspect that something is not working right with the keyserver, you could try to switch to the Ubuntu keyserver. To do this, edit /etc/pacman.d/gnupg/gpg.conf and change the keyserver line to:
keyserver hkp://keyserver.ubuntu.com
Clean cached packages
If you suspect that your pacman cache at /var/cache/pacman/pkg/ might contain unsigned packages, try cleaning the cache manually or run:
# pacman -Sc
which removes all cached packages that have not been installed.
Signature is unknown trust
Sometimes when running pacman -Syu you might encounter this error:
error: package-name: signature from "packager" is unknown trust
This occurs because the packager‘s key used in the package package-name is not present and/or not trusted in the local pacman-key gpg database. Pacman does not seem to always be able to check if the key was received and marked as trusted before continuing. This could also be because a key has expired since it was added to your keychain.
Mitigate by:
- Manually upgrading the archlinux-keyring package prior to the system upgrade, or
- refreshing your keys with
pacman-key --refresh-keys, or - resetting all the keys, or
- manually signing the untrusted key locally (not recommended), or
- setting temporarily
SigLeveltoTrustAll(not recommended).
The last two options above break the chain of trust, and should be used with care.
Updating keys via proxy
In order to use a proxy when updating keys the honor-http-proxy option must be set in both /etc/gnupg/dirmngr.conf and /etc/pacman.d/gnupg/dirmngr.conf. See GnuPG#Use a keyserver for more information.
Note: If pacman-key is used without the honor-http-proxy option and fails, a reboot may solve the issue.
See also
- DeveloperWiki:Package Signing Proposal for Pacman
- Pacman Package Signing – 1: Makepkg and Repo-add
- Pacman Package Signing – 2: Pacman-key
- Pacman Package Signing – 3: Pacman
- Pacman Package Signing – 4: Arch Linux
|
# (отредактировано 2 года, 8 месяцев назад) |
|
|
Темы: 17 Сообщения: 86 Участник с: 25 февраля 2017 |
Обновил систему после очень долго перерыва через
Все вроде прошло без ошибок, только почему-то зеркала при установке пакетов не сразу подхватываются(вначале выскакивает ошибка, о том, что не получилось достать пакет на зеркале), а так же ключи не обновляются, ибо один из пакетов хотел заимпортить ключ, но я получил следующую ошибку Пытался обновить ключи через Помогите решить проблему |
|
redix |
# |
|
Темы: 34 Сообщения: 3433 Участник с: 11 марта 2013 |
Добавить ключ In Tux We Trust |
|
RusWolf |
# (отредактировано 2 года, 8 месяцев назад) |
|
Темы: 11 Сообщения: 2413 Участник с: 16 июля 2016 |
Обновление ключей: # pacman-key —init # pacman-key —refresh-keys # pacman-key —populate archlinux мля. опоздал |
|
redix |
# |
|
Темы: 34 Сообщения: 3433 Участник с: 11 марта 2013 |
Могу уступить первенство. )
In Tux We Trust |
|
RusWolf |
# |
|
Темы: 11 Сообщения: 2413 Участник с: 16 июля 2016 |
не-не, всё должно быть по честному |
|
vs220 |
# |
|
Темы: 22 Сообщения: 8090 Участник с: 16 августа 2009 |
Зеркала попробуйте обновить на актуальные в /etc/pacman.d/mirrorlist
Список актуальных https://www.archlinux.org/mirrorlist/ если не поможет смотрите |
|
wh75er |
# |
|
Темы: 17 Сообщения: 86 Участник с: 25 февраля 2017 |
не помогло |
|
vs220 |
# |
|
Темы: 22 Сообщения: 8090 Участник с: 16 августа 2009 |
Зеркала
? |
|
wh75er |
# |
|
Темы: 17 Сообщения: 86 Участник с: 25 февраля 2017 |
Все, проблема с зеркалами ушла, когда я добавил файл более новый mirrorlist, но с ключами таже проблема. Попробовал сделать Не помогло. Сейчас попробую сделать предложенное |
|
vs220 |
# |
|
Темы: 22 Сообщения: 8090 Участник с: 16 августа 2009 |
Обновление идет? Или на ключи ругается? |
I ran into an issue running through Arch Linux package upgrades on 2021-01-06, after neglecting to install package upgrades for a few months:
[miliarch@arch ~]$ sudo pacman -Syu
:: Synchronizing package databases...
core 132.8 KiB 18.5 MiB/s 00:00 [##################################] 100%
extra 1637.1 KiB 28.0 MiB/s 00:00 [##################################] 100%
community 5.3 MiB 65.3 MiB/s 00:00 [##################################] 100%
sublime-text 1827.0 B 0.00 B/s 00:00 [##################################] 100%
sublime-text.sig 543.0 B 0.00 B/s 00:00 [##################################] 100%
:: Starting full system upgrade...
... -truncated- ...
(541/541) checking keys in keyring [##################################] 100%
(541/541) checking package integrity [##################################] 100%
error: cdrtools: signature from "Jerome Leclanche <jerome@leclan.ch>" is unknown trust
:: File /var/cache/pacman/pkg/cdrtools-3.02a09-4-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.It turns out the developer’s GPG key, which determines whether the author of the package is trusted, had expired:
[miliarch@arch ~]$ pacman-key --list-sigs Jerome
gpg: Note: trustdb not writable
pub rsa4096 2013-10-16 [SC] [expired: 2021-01-01]
169704C6FB490C6892C7F23C37E0AF1FDA48F373
uid [ expired] Jerome Leclanche <jerome@leclan.ch>
sig 3348882F6AC6A4C2 2015-02-10 Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig BA1DFB64FFF979E7 2015-02-12 Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig A88E23E377514E00 2015-12-23 Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig 3 37E0AF1FDA48F373 2018-06-10 Jerome Leclanche <jerome@leclan.ch>
sig D6D055F927843F1C 2019-09-29 Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>After some searching, I came across this thread, which contained the solution. I did try using pacman-key --refresh-keys, as suggested by Scimmia, and while it did refresh many keys (see command output below), it didn’t pull in an update of the problematic key.
[miliarch@arch ~]$ sudo pacman-key --refresh-keys
gpg: refreshing 121 keys from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: Server indicated a failure
==> ERROR: A specified local key could not be updated from a keyserver.After further review of the thread, and some more tinkering in the terminal, I discovered that the archlinux-keyring package required an update to pull in updated GPG keys. I’m very thankful that these folks took the time to both ask the question and drop in guidance on how to validate and fix the problem.
Now, the main crux of the issue was that while archlinux-keyring was part of the list of distribution packages to update, the one package associated with an expired key (cdrtools) «clogged up the works» and prevented the upgrade from completing. To work around that, I pulled this package separately with pacman -S archlinux-keyring:
[miliarch@arch ~]$ sudo pacman -S archlinux-keyring
resolving dependencies...
looking for conflicting packages...
Packages (1) archlinux-keyring-20201210-1
Total Installed Size: 1.30 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [############################################] 100%
(1/1) checking package integrity [############################################] 100%
(1/1) loading package files [############################################] 100%
(1/1) checking for file conflicts [############################################] 100%
(1/1) checking available disk space [############################################] 100%
:: Processing package changes...
(1/1) upgrading archlinux-keyring [############################################] 100%
==> Appending keys from archlinux.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signing key D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C...
-> Locally signing key DDB867B92AA789C165EEFA799B729B06A680C281...
-> Locally signing key 91FFE0700E80619CEB73235CA88E23E377514E00...
-> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
-> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
==> Importing owner trust values...
==> Disabling revoked keys in keyring...
-> Disabling key 8F76BEEA0289F9E1D3E229C05F946DED983D4366...
-> Disabling key 63F395DE2D6398BBE458F281F2DBB4931985A992...
-> Disabling key 50F33E2E5B0C3D900424ABE89BDCF497A4BBCC7F...
-> Disabling key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
-> Disabling key 779CD2942629B7FA04AB8F172E89012331361F01...
-> Disabling key 39F880E50E49A4D11341E8F939E4F17F295AFBF4...
-> Disabling key 8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA...
-> Disabling key 5559BC1A32B8F76B3FCCD9555FA5E5544F010D48...
-> Disabling key 0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196...
-> Disabling key 07DFD3A0BC213FA12EDC217559B3122E2FA915EC...
-> Disabling key 4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD...
-> Disabling key 5A2257D19FF7E1E0E415968CE62F853100F0D0F0...
-> Disabling key D921CABED130A5690EF1896E81AF739EC0711BF1...
-> Disabling key 7FA647CD89891DEDC060287BB9113D1ED21E1A55...
-> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
-> Disabling key 4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2...
-> Disabling key 5696C003B0854206450C8E5BE613C09CB4440678...
-> Disabling key 684148BB25B49E986A4944C55184252D824B18E8...
-> Disabling key 8CF934E339CAD8ABF342E822E711306E3C4F88BC...
-> Disabling key F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6...
-> Disabling key 5E7585ADFF106BFFBBA319DC654B877A0864983E...
-> Disabling key 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A...
-> Disabling key 40440DC037C05620984379A6761FAD69BA06C6A9...
-> Disabling key 34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5...
-> Disabling key 1A60DC44245D06FEF90623D6EEEEE2EEEE2EEEEE...
-> Disabling key 81D7F8241DB38BC759C80FCE3A726C6170E80477...
-> Disabling key E7210A59715F6940CF9A4E36A001876699AD6E84...
-> Disabling key 5357F3B111688D88C1D88119FCF2CB179205AC90...
-> Disabling key 4D913AECD81726D9A6C74F0ADA6426DD215B37AD...
-> Disabling key FB871F0131FEA4FB5A9192B4C8880A6406361833...
-> Disabling key 66BD74A036D522F51DD70A3C7F2A16726521E06D...
-> Disabling key 487EACC08557AD082088DABA1EB2638FF56C0C53...
-> Disabling key B1F2C889CB2CCB2ADA36D963097D629E437520BD...
-> Disabling key 9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5...
-> Disabling key 76B4192E902C0A52642C63C273B8ED52F1D357C1...
-> Disabling key 40776A5221EF5AD468A4906D42A1DB15EC133BAD...
-> Disabling key D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50...
-> Disabling key 44D4A033AC140143927397D47EFD567D4C7EA887...
==> Updating trust database...
gpg: next trustdb check due at 2021-08-02
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...After checking the public GPG key for this author again, it was clear that it had been updated with an expiration date in the future in my local keyring:
[miliarch@arch ~]$ pacman-key --list-sigs Jerome
gpg: Note: trustdb not writable
pub rsa4096 2013-10-16 [SC] [expires: 2023-01-01]
169704C6FB490C6892C7F23C37E0AF1FDA48F373
uid [ full ] Jerome Leclanche <jerome@leclan.ch>
sig 3348882F6AC6A4C2 2015-02-10 Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig BA1DFB64FFF979E7 2015-02-12 Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sig A88E23E377514E00 2015-12-23 Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sig 3 37E0AF1FDA48F373 2018-06-10 Jerome Leclanche <jerome@leclan.ch>
sig D6D055F927843F1C 2019-09-29 Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>
sig 3 37E0AF1FDA48F373 2020-10-28 Jerome Leclanche <jerome@leclan.ch>
sub rsa4096 2013-10-16 [E] [expires: 2023-01-01]
sig 37E0AF1FDA48F373 2018-06-10 Jerome Leclanche <jerome@leclan.ch>
sig 37E0AF1FDA48F373 2020-10-28 Jerome Leclanche <jerome@leclan.ch>My next attempt to run a full distro upgrade finished without an issue.
The lesson to take from this is that it may be wise to run a standalone upgrade of the archlinux-keyring package prior to running a full distribution upgrade, especially if it’s been a while since you’ve upgraded packages. Alternatively, it’s certainly a valid strategy to wait until an error is presented to address a problem; it’s good to keep this package in mind if you encounter a GPG key signing issue on a core package when working with pacman.
Finding documentation on archlinux-keyring wasn’t trivial, but the Adding Developer Keys section of the pacman/Package signing page in the Arch Wiki touches on the purpose of the package, which is effectively a collection of Trusted User (TU) GPG keys.
Until next time
— miliarch
- Tidbits
Subscribe to our newsletter
Get the latest posts delivered right to your inbox.
Now check your inbox and click the link to confirm your subscription.
Please enter a valid email address
Oops! There was an error sending the email, please try later.
A couple of days ago I got an additional laptop to take it on meetings.
As it will be used rarely and not as my main laptop – I decided to install Manjaro Linux there instead of usual Arch Linux – to take a look at the Manjaro itself and because don’t want to spend time with Arch configuration on a laptop, which be used even not each day.
After Manjaro installation (well – much easier than Arch, of course) I started the system upgrade, and…:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman -Syu
...
:: Proceed with installation? [Y/n]
(413/413) checking keys in keyring [] 100%
downloading required keys...
:: Import PGP key 256E/C7E7849466FE2358343588377258734B41C31549, "David Runge <dvzrv@archlinux.org>", created: 2019-10-01? [Y/n] y
error: key "David Runge <dvzrv@archlinux.org>" could not be imported
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.
Well… Okay.
The first upgrade on o system with outdated packages, expected issues – no problem at all.
Do not perform the actions described below until you’ll read the actual reason.
Update archlinux-keyring
The first idea was to upgrade the archlinux-keyring util and it will update its keys:
$ sudo pacman -Sy archlinux-keyring
...
warning: archlinux-keyring-20191018-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...
Packages (1) archlinux-keyring-20191018-1
...
-> Disabling key 44D4A033AC140143927397D47EFD567D4C7EA887...
==> Updating trust database...
gpg: next trustdb check due at 2020-01-22
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
But this didn’t help.
pacman-key --refresh-keys
Okay, let’s try update keys directly in the pacman-key‘s database:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman-key --refresh-keys
...
gpg: Total number processed: 133
gpg: unchanged: 66
gpg: new user IDs: 3
gpg: new subkeys: 1
gpg: new signatures: 1172
...
gpg: next trustdb check due at 2020-01-22
Nah, still something is wrong here:
[setevoy@setevoy-asus-laptop ~]$ pacman-key --list-sigs | grep Runge
gpg: Note: trustdb not writable
gpg: key E5BB298470AD4E41 was created 53 days in the future (time warp or clock problem)
gpg: key 6D42BDD116E0068F was created 11 days in the future (time warp or clock problem)
gpg: key 6D42BDD116E0068F was created 11 days in the future (time warp or clock problem)
gpg: key E5BB298470AD4E41 was created 53 days in the future (time warp or clock problem)
sig 54C28F4FF5A1A949 2014-10-06 David Runge <dave@sleepmap.de>
uid [ full ] David Runge <dave@sleepmap.de>
sig 3 54C28F4FF5A1A949 2017-05-07 David Runge <dave@sleepmap.de>
sig 3 54C28F4FF5A1A949 2015-01-04 David Runge <dave@sleepmap.de>
uid [ full ] David Runge <dave@c-base.org>
sig 3 54C28F4FF5A1A949 2017-05-07 David Runge <dave@sleepmap.de>
sig 3 54C28F4FF5A1A949 2015-10-20 David Runge <dave@sleepmap.de>
uid [ full ] David Runge <runge@pool.math.tu-berlin.de>
sig 3 54C28F4FF5A1A949 2017-05-07 David Runge <dave@sleepmap.de>
sig 3 54C28F4FF5A1A949 2014-10-03 David Runge <dave@sleepmap.de>
uid [ full ] David Runge <david.runge@campus.tu-berlin.de>
sig 3 54C28F4FF5A1A949 2017-05-07 David Runge <dave@sleepmap.de>
sig 3 54C28F4FF5A1A949 2014-10-03 David Runge <dave@sleepmap.de>
sig 54C28F4FF5A1A949 2017-05-07 David Runge <dave@sleepmap.de>
At least – the developer’s mailbox is not the same as in the error.
there is a hint, but I didn’t notice it
Removing /etc/pacman.d/gnupg
The next thing I did a try – to fully drop (backup, of course, not just delete) pacman‘s GPG database to re-initial it from scratch:
[setevoy@setevoy-asus-laptop ~]$ ls -l /etc/pacman.d/gnupg
total 6276
drwx------ 2 root root 4096 жов 21 2017 crls.d
-rw-r--r-- 1 root root 17 лис 8 2018 gpg-agent.conf
-rw-r--r-- 1 root root 114 жов 24 2015 gpg.conf
drwx------ 2 root root 4096 жов 24 2015 openpgp-revocs.d
...
-rw-r--r-- 1 root root 18920 сер 18 12:28 trustdb.gpg
Move it to backups:
[setevoy@setevoy-asus-laptop ~]$ mkdir ~/Backups
[setevoy@setevoy-asus-laptop ~]$ sudo mv /etc/pacman.d/gnupg Backups/
Run initialization:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key FBADB7D2586D4A2F marked as ultimately trusted
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/7F47A1EC7C894F56DD6F9E18FBADB7D2586D4A2F.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
Get keys:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman-key --populate
==> Appending keys from archlinux.gpg...
...
Let’s even update them:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman-key --refresh-keys
gpg: refreshing 132 keys from hkps://hkps.pool.sks-keyservers.net
...
Run the OS upgrade again:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman -Syu
...
downloading required keys...
:: Import PGP key 256E/C7E7849466FE2358343588377258734B41C31549, "David Runge <dvzrv@archlinux.org>", created: 2019-10-01? [Y/n]
error: key "David Runge <dvzrv@archlinux.org>" could not be imported
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.
sd78dfv:?%67sdc!!!
pacman-key --recv-keys – a direct key’s import
Then I went to look for the key directly in the https://www.archlinux.org/master-keys database:
| David Runge | 0x41C31549 | Yes |
And try to import it directly:
[setevoy-asus-laptop setevoy]# pacman-key --recv-keys dvzrv@archlinux.org
gpg: key E5BB298470AD4E41 was created 53 days in the future (time warp or clock problem)
gpg: key 7258734B41C31549: 2 duplicate signatures removed
gpg: key 7258734B41C31549: 4 signatures not checked due to missing keys
gpg: key 7258734B41C31549: 2 signatures reordered
gpg: key 7258734B41C31549 was created 44 days in the future (time warp or clock problem)
gpg: key 7258734B41C31549 was created 44 days in the future (time warp or clock problem)
gpg: key 7258734B41C31549 was created 44 days in the future (time warp or clock problem)
gpg: key 7258734B41C31549 was created 44 days in the future (time warp or clock problem)
gpg: key 7258734B41C31549: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg: w/o user IDs: 1
==> ERROR: Remote key not fetched correctly from keyserver.
Eeerrr….
gpg: key 7258734B41C31549 was created 44 days in the future (time warp or clock problem)
44 days in the future – WHAT?
The real cause and solution
Check the date on the operating system now:
[setevoy-asus-laptop setevoy]# date
sun, 18 серпня 2019 12:47:28 +0300
And by using hwclock to heck hardware’s time settings:
[setevoy-asus-laptop setevoy]# hwclock --show
2019-08-18 12:47:55.575491+03:00
Set the real time at this moment:
[setevoy-asus-laptop setevoy]# timedatectl set-time "2019-11-24 09:56:00"
[setevoy-asus-laptop setevoy]# hwclock --show
2019-11-24 09:56:03.404766+02:00
Repeat upgrade:
[setevoy@setevoy-asus-laptop ~]$ sudo pacman -Syu
...
(413/413) checking keys in keyring [] 100%
downloading required keys...
:: Import PGP key 256E/C7E7849466FE2358343588377258734B41C31549, "David Runge <dvzrv@archlinux.org>", created: 2019-10-01? [Y/n]
(413/413) checking package integrity
...
And everything is working now.
Done.
Similar posts
- 05/08/2017 Arch Linux: keyserver receive failed: No keyserver available и ручной импорт ключа
- 05/06/2017 Arch Linux: запускаем Diablo 2
- 03/29/2017 Arch: Skype – звук и микрофон
- 03/16/2017 Arch: апплет батареи для ноутбука
I’m trying to do a full system upgrade using pacman -Syu. It says:
:: File /var/cache/pacman/pkg/turbulence-0.3.5-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
Is there a way to fix this?
asked May 14, 2014 at 18:31
1
There are tons of topics out there that say you should edit the pacman.config file and remove the PGP key checks entirely but it’s not a good idea.
simply run this command and wait for refreshing your keys by downloading them from the servers:
$ sudo pacman-key --refresh-keys
and then proceed with you full system upgrade sudo pacman -Syu
answered Apr 20, 2015 at 15:10
Arash MilaniArash Milani
6,1092 gold badges41 silver badges47 bronze badges
2
You may also be interested in running pacman-key --populate if the keys are massively out of date or if the other given answer of pacman-key --refresh-keys does not work in practice.
answered Aug 29, 2017 at 22:17
Tech1337Tech1337
1,49813 silver badges16 bronze badges
0
I ran into this problem when using a (ridiculously) outdated Arch version.
In case anyone else runs into this while using Docker, you can try downloading a fresh image (docker pull archlinux) in lieu of directly refreshing the keys.
I think this is useful because the sibling answers did not work for me.
answered Jun 2, 2022 at 0:46
davidvarela_usdavidvarela_us
6,0781 gold badge22 silver badges42 bronze badges
Aron Schüler on 30. January 2022
When running your pacman -Syu, you might run into an error about an unknown
trust signature. This is caused by package maintainers changing, dependencies
changing or new ones added. This error does not always mean that someone took
over the package and submitted an insecure package. In this post, I am going to
describe how to fix the error: signature from is unknown trust error.
Why does a package have a signature of unknown trust?
The error you’re seeing is directly related to the pacman-key gpg
database. This database contains all necessary PGP public keys. Now, you might
ask yourself, whose public keys are necessary? Well, there are two groups who
maintain the packages in the official arch repositories. These groups are the
official developers and Trusted Users (TU). Packages under their
maintenance are always signed by the master keys of these users.
But users in these groups change. For instance, a new user is accepted into the
Trusted Users group. That user’s public key must now be added to the
archlinux-keyring package. It also must be marked as trusted in the pacman-key
gpg database. But this does not happen automatically. Therefore, when that user
signs a package, you get the error that the signature is of unknown trust, since
the key has not been added to / trusted in the database yet.
How can I trust the signature?
There are at least four options available, with another one being to wait for an
update of archlinux-keyring package. If you want to take matters into your own
hands, I suggest the first option.
First option: Refreshing your trusted keys with pacman-key
Pacman includes a helpful wrapper script for GnuPG. This script is called
pacman-key. You can easily manage your keyring of trusted PGP keys with it.
You can also refresh your local key database with it.
To do so, run the following as root:
pacman-key --refresh-keys
Once this is done, you can check if your desired key is now included. Run this
as root:
pacman-key --list-keys <signature>
For me, I was missing the pub key of Alexander Epaneshnikov, so I will check for his signature:
pacman-key --list-keys 6C7F7F22E0152A6FD5728592DAD6F3056C897266
pub rsa4096 2020-03-04 [SC] [expires: 2023-01-20]
6C7F7F22E0152A6FD5728592DAD6F3056C897266
uid [ unknown] Alexander Epaneshnikov [email protected]>
uid [ full ] Alexander Epaneshnikov
uid [ unknown] Alexander Epaneshnikov
sub rsa4096 2020-03-04 [A] [expires: 2023-01-20]
sub rsa4096 2020-03-04 [E] [expires: 2023-01-20]
sub rsa4096 2020-03-04 [S] [expires: 2023-01-20]
Second option: Reinstalling archlinux-keyring
If you don’t want the hassle of messing with the wrapper script, you can
also reinstall the archlinux-keyring package. The post-installation script will
update the local pacman gpg database. This can be done by running the following
as root:
pacman -S archlinux-keyring
As a result, your key database will be updated and the new key should be
included and trusted!
Third option: When everything else fails, do it yourself!
You can also import the key into your pacman keyring yourself. This is necessary
when the official keyserver does not provide the desired key (yet). To do so,
follow the next steps.
- Import the key into your accounts keyring with
pacman-key --recv-keys <signature>. If you don’t know the signature,
googling the<author> pgpshould be enough to give you a result. - Verify the fingerprint to prevent importing bad keys:
pacman-key --finger <signature> - Sign the key locally with your private key, so that the imported key becomes
trusted:pacman-key --lsign-key <signature>
The key is now included in your pacman database of trusted keys.
Done!
To check if the signature is now contained in your pacman keyring, run
pacman-key --list-keys <signature>. This should result in something like
this:
You successfully imported and trusted the key, nice! Now you can go ahead and
update your packages.
As a final note, you will notice that this problem occurs more often if you tend
to have long periods of time between your upgrades. If this is the case for you,
just remember to update your keyring before updating your system, thereby
running your upgrade always with a fresh set of public keys. This prevents the
signature is unknown trust error on your Arch system while upgrading.
I hope this helped, if it did I’m always happy about a new comment 🙂 If
you want to look through my other posts on arch, you can find them here.