You are not logged in.
Hi!
Wanted to upgrade my OS today, as I tend to do each month or so, with pacman -Syuu, packages download, it prompted me to add quite a lot of new PGP keys, I allowed that, but then it wouldn't go through - it happened from time to time to me, I recalled I just have to reinstall archlinux-keyring first and that should do it - I couldn't reinstall it however, pacman was failing at adding Christian Hesse's key, so I figured I probably have my keyrings messed up somehow, so backed it up, followed steps from wiki: https://wiki.archlinux.org/title/Pacman … l_the_keys
But this wouldn't work either, as for some reason my /usr/share/pacman/ dir lacked any keyrings in it..
TL;DR
In the end I just disabled signature verification just to install archlinux-keyring (same with chaotic), and enabled it back again..
I was able to update and install other packages, although I don't feel too comfortable about it - how really dangerous was what I did? Do I actually have to worry about it?
Can I somehow verify that every package is installed with the right key and that keyrings my pacman now uses aren't tampered with?
Best regards!
Offline
`pacman -Sw <package>` will re-check the package that's in the cache (or download it if it isn't there, but that doesn't help you in this case).
Offline
I was thinking about upgrading system and packages first, purging keys, getting the `legit ones` using some gpg validations, and reinstalling everything, but this seems a bit paranoid, I've used few mirrorlists to make sure I wasn't grabbing some nasty packages when keys started failing on me.. I'm not really sure why this was even a thing tho, generally updating the keyring was enough..
Offline