Keyring issues and validation

endlesik · 2023-05-12 23:58:43

Hi!
Wanted to upgrade my OS today, as I tend to do each month or so, with pacman -Syuu, packages download, it prompted me to add quite a lot of new PGP keys, I allowed that, but then it wouldn't go through - it happened from time to time to me, I recalled I just have to reinstall archlinux-keyring first and that should do it - I couldn't reinstall it however, pacman was failing at adding Christian Hesse's key, so I figured I probably have my keyrings messed up somehow, so backed it up, followed steps from wiki: https://wiki.archlinux.org/title/Pacman … l_the_keys

But this wouldn't work either, as for some reason my /usr/share/pacman/ dir lacked any keyrings in it..

TL;DR
In the end I just disabled signature verification just to install archlinux-keyring (same with chaotic), and enabled it back again..

I was able to update and install other packages, although I don't feel too comfortable about it - how really dangerous was what I did? Do I actually have to worry about it?

Can I somehow verify that every package is installed with the right key and that keyrings my pacman now uses aren't tampered with?

Best regards!

Scimmia · 2023-05-13 02:07:08

`pacman -Sw <package>` will re-check the package that's in the cache (or download it if it isn't there, but that doesn't help you in this case).

endlesik · 2023-05-13 02:25:37

I was thinking about upgrading system and packages first, purging keys, getting the `legit ones` using some gpg validations, and reinstalling everything, but this seems a bit paranoid, I've used few mirrorlists to make sure I wasn't grabbing some nasty packages when keys started failing on me.. I'm not really sure why this was even a thing tho, generally updating the keyring was enough..

Arch Linux

#1 2023-05-12 23:58:43

Keyring issues and validation

#2 2023-05-13 02:07:08

Re: Keyring issues and validation

#3 2023-05-13 02:25:37

Re: Keyring issues and validation

Board footer