[SOLVED] Invalid or corrupted package

aleb · 2024-02-09 15:26:00

$ sudo pacman -Syy linux
:: Synchronizing package databases...
 core                                            129,3 KiB  6,31 MiB/s 00:00 [###########################################] 100%
 extra                                             8,3 MiB  10,8 MiB/s 00:01 [###########################################] 100%
 community                                        45,0   B  43,9 KiB/s 00:00 [###########################################] 100%
resolving dependencies...
looking for conflicting packages...

Packages (1) linux-6.7.4.arch1-1

Total Download Size:   130,66 MiB
Total Installed Size:  130,75 MiB
Net Upgrade Size:        0,10 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 linux-6.7.4.arch1-1-x86_64                      130,7 MiB  11,1 MiB/s 00:12 [###########################################] 100%
(1/1) checking keys in keyring                                               [###########################################] 100%
(1/1) checking package integrity                                             [###########################################] 100%
error: linux: signature from "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" is invalid
:: File /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

The initial error was a similar one, then I tried to clean things up but still getting an error, the one above ^:

$ sudo mv /etc/pacman.d/gnupg/ /etc/pacman.d/gnupg.deleteme
$ sudo pacman-key --init                              
$ sudo pacman-key --populate                          
$ sudo mv /var/cache/pacman /var/cache/pacman.deleteme
$ sudo pacman -Sy archlinux-keyring 
$ sudo pacman-key --refresh-keys

The debug output:

$ sudo pacman -Syy linux --debug
debug: pacman v6.0.2 - libalpm v13.0.2
debug: config: attempting to read file /etc/pacman.conf
debug: config: new section 'options'
debug: config: HoldPkg: pacman
debug: config: HoldPkg: glibc
debug: config: Architecture: auto
debug: config: arch: x86_64
debug: config: SigLevel: Required
debug: config: SigLevel: DatabaseOptional
debug: config: LocalFileSigLevel: Optional
debug: config: new section 'core'
debug: config file /etc/pacman.conf, line 76: including /etc/pacman.d/mirrorlist
debug: config: new section 'extra'
debug: config file /etc/pacman.conf, line 82: including /etc/pacman.d/mirrorlist
debug: config: new section 'community'
debug: config file /etc/pacman.conf, line 88: including /etc/pacman.d/mirrorlist
debug: config: finished parsing /etc/pacman.conf
debug: setup_libalpm called
debug: option 'logfile' = /var/log/pacman.log
debug: option 'gpgdir' = /etc/pacman.d/gnupg/
debug: option 'hookdir' = /etc/pacman.d/hooks/
debug: option 'cachedir' = /var/cache/pacman/pkg/
debug: registering sync database 'core'
debug: database path for tree core set to /var/lib/pacman/sync/core.db
debug: "/var/lib/pacman/sync/core.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/core.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 603) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for core repository
debug: adding new server URL to database 'core': https://mirror.init7.net/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': https://mirror.puzzle.ch/archlinux/core/os/x86_64
debug: registering sync database 'extra'
debug: database path for tree extra set to /var/lib/pacman/sync/extra.db
debug: "/var/lib/pacman/sync/extra.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/extra.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 603) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for extra repository
debug: adding new server URL to database 'extra': https://mirror.init7.net/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': https://mirror.puzzle.ch/archlinux/extra/os/x86_64
debug: registering sync database 'community'
debug: database path for tree community set to /var/lib/pacman/sync/community.db
debug: "/var/lib/pacman/sync/community.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/community.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 603) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for community repository
debug: adding new server URL to database 'community': https://mirror.init7.net/archlinux/community/os/x86_64
debug: adding new server URL to database 'community': https://mirror.puzzle.ch/archlinux/community/os/x86_64
:: Synchronizing package databases...
 core downloading...
 extra downloading...
 community downloading...
debug: core.db: url is https://mirror.init7.net/archlinux/core/os/x86_64/core.db
debug: core.db: maxsize 134217728
debug: core.db: opened tempfile for download: /var/lib/pacman/sync/core.db.part (wb)
debug: core.db: curl returned result 0 from transfer
debug: core.db: response code 200
debug: core.db.sig: url is https://mirror.init7.net/archlinux/core/os/x86_64/core.db.sig
debug: core.db.sig: maxsize 16384
debug: core.db.sig: opened tempfile for download: /var/lib/pacman/sync/core.db.sig.part (wb)
debug: core.db.sig: curl returned result 0 from transfer
debug: core.db.sig: response code 404
debug: core.db.sig: no more servers to retry
debug: extra.db: url is https://mirror.init7.net/archlinux/extra/os/x86_64/extra.db
debug: extra.db: maxsize 134217728
debug: extra.db: opened tempfile for download: /var/lib/pacman/sync/extra.db.part (wb)
debug: extra.db: curl returned result 0 from transfer
debug: extra.db: response code 200
debug: extra.db.sig: url is https://mirror.init7.net/archlinux/extra/os/x86_64/extra.db.sig
debug: extra.db.sig: maxsize 16384
debug: extra.db.sig: opened tempfile for download: /var/lib/pacman/sync/extra.db.sig.part (wb)
debug: extra.db.sig: curl returned result 0 from transfer
debug: extra.db.sig: response code 404
debug: extra.db.sig: no more servers to retry
debug: community.db: url is https://mirror.init7.net/archlinux/community/os/x86_64/community.db
debug: community.db: maxsize 134217728
debug: community.db: opened tempfile for download: /var/lib/pacman/sync/community.db.part (wb)
debug: community.db: curl returned result 0 from transfer
debug: community.db: response code 200
debug: community.db.sig: url is https://mirror.init7.net/archlinux/community/os/x86_64/community.db.sig
debug: community.db.sig: maxsize 16384
debug: community.db.sig: opened tempfile for download: /var/lib/pacman/sync/community.db.sig.part (wb)
debug: community.db.sig: curl returned result 0 from transfer
debug: community.db.sig: response code 404
debug: community.db.sig: no more servers to retry
debug: curl_download_internal return code is 0
debug: "/var/lib/pacman/sync/core.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/core.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 603) : missing PGP signature
debug: missing optional signature
debug: "/var/lib/pacman/sync/extra.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/extra.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 603) : missing PGP signature
debug: missing optional signature
debug: "/var/lib/pacman/sync/community.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/community.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 603) : missing PGP signature
debug: missing optional signature
debug: loading package cache for repository 'core'
debug: opening archive /var/lib/pacman/sync/core.db
debug: added 267 packages to package cache for db 'core'
debug: adding package 'linux'
debug: loading package cache for repository 'local'
debug: added 2064 packages to package cache for db 'local'
debug: adding package linux-6.7.4.arch1-1 to the transaction add list
resolving dependencies...
debug: resolving target's dependencies
debug: started resolving dependencies
debug: checkdeps: package linux-6.7.4.arch1-1
debug: finished resolving dependencies
looking for conflicting packages...
debug: looking for conflicts
debug: check targets vs targets
debug: check targets vs targets
debug: check targets vs db and db vs targets
debug: check targets vs db
debug: check db vs targets
debug: checking dependencies
debug: checkdeps: package linux-6.7.4.arch1-1
debug: found cached pkg: /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst
debug: setting download size 0 for pkg linux
debug: sorting by dependencies
debug: started sorting dependencies
debug: sorting dependencies finished

Packages (1) linux-6.7.4.arch1-1

Total Installed Size:  130,75 MiB
Net Upgrade Size:        0,10 MiB

:: Proceed with installation? [Y/n] 
debug: using cachedir: /var/cache/pacman/pkg/
debug: found cached pkg: /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst
debug: found cached pkg: /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst.sig
checking keyring...
debug: found signature key: B8AC08600F108CDF
debug: GPGME version: 1.23.2
debug: GPGME engine info: file=/usr/bin/gpg, home=/etc/pacman.d/gnupg/
debug: looking up key B8AC08600F108CDF locally
debug: key lookup success, key exists
checking package integrity...
debug: found cached pkg: /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst
debug: sig data: iHQEABYKAB0WIQSDvIiJNRtd67toQW64rAhgDxCM3wUCZcFzPwAKCRC4rAhgDxCM30APAPj93RctnG+n4/bNJ5QY7OXmgGwwdTILSUA8fnnbWOdbAQC9ZY7Ei34tbLajBf5t5RRz0Er7Jh2C7Ayxv3tLO8W/Ag==
debug: checking signature for /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst
debug: 1 signatures returned
debug: fingerprint: B8AC08600F108CDF
debug: summary: red
debug: status: Bad signature
debug: timestamp: 0
debug: exp_timestamp: 0
debug: validity: unknown; reason: Success
debug: key: 83BC8889351B5DEBBB68416EB8AC08600F108CDF, Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>, owner_trust unknown, disabled 0
debug: signature is not valid
error: linux: signature from "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" is invalid
:: File /var/cache/pacman/pkg/linux-6.7.4.arch1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]             
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
debug: unregistering database 'local'
debug: freeing package cache for repository 'local'
debug: unregistering database 'core'
debug: freeing package cache for repository 'core'
debug: unregistering database 'extra'
debug: unregistering database 'community'

If I search for 83BC8889351B5DEBBB68416EB8AC08600F108CDF in the "sudo pacman-key --refresh-keys" output, I get these hopefully relevant parts:

gpg: error retrieving 'jan.steffens@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://keyserver.ubuntu.com
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: key A5E9288C4FA415FA: 1 duplicate signature removed
gpg: key A5E9288C4FA415FA: 5 signatures not checked due to missing keys
gpg: key A5E9288C4FA415FA: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" 2 new user IDs
gpg: key A5E9288C4FA415FA: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" 6 new signatures
gpg: key A5E9288C4FA415FA: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" 7 signatures cleaned
gpg: key A5E9288C4FA415FA: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" 1 user ID cleaned
gpg: Total number processed: 1
gpg:           new user IDs: 2
gpg:         new signatures: 6
gpg:     signatures cleaned: 7
gpg:       user IDs cleaned: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   5  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   5  signed:  97  trust: 0-, 0q, 0n, 5m, 0f, 0u
gpg: depth: 2  valid:  74  signed:  22  trust: 74-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-04-10
gpg: error retrieving 'jan.steffens@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: key B8AC08600F108CDF: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" not changed
gpg: key 19802F8B0D70FC30: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
pub   ed25519 2023-12-11 [SC]
      83BC8889351B5DEBBB68416EB8AC08600F108CDF
uid           [  undef ] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid           [  full  ] Jan Alexander Steffens (heftig) <heftig@archlinux.org>
sub   ed25519 2023-12-11 [A]
sub   cv25519 2023-12-11 [E]

gpg: error retrieving 'jan.steffens@gmail.com' via WKD: No data
gpg: error reading key: No data
gpg: key B8AC08600F108CDF: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" not changed
gpg: key 19802F8B0D70FC30: "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
pub   ed25519 2023-12-11 [SC]
      83BC8889351B5DEBBB68416EB8AC08600F108CDF
uid           [  undef ] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid           [  full  ] Jan Alexander Steffens (heftig) <heftig@archlinux.org>
sub   ed25519 2023-12-11 [A]
sub   cv25519 2023-12-11 [E]

Any idea why the package signature cannot be verified?

Last edited by aleb (2024-02-09 15:37:27)

Scimmia · 2024-02-09 15:28:37

That isn't a keyring issue, that's a package issue. Try a different mirror.

BUT why are you doing a partial update? And why are you still downloading Community, which hasn't existed for almost 8 months?

seth · 2024-02-09 15:31:09

Remove the package from the cache and stop casually using the second "y" - read the manpage for what it actually does and *only* use it when you *really* have to.

Edit: fuck.

Last edited by seth (2024-02-09 15:32:01)

aleb · 2024-02-09 15:32:27

All good now, I ran this (again?) and it started updating

$ sudo pacman -Sy archlinux-keyring && sudo pacman -Su

aleb · 2024-02-09 15:36:42

Doing a partial upgrade just because the output is small than "sudo pacman -Syu".

I'm not downloading Community for a particular reason, must be some leftover.

I don't normally use "yy", I got it from some post a few minutes ago.

Scimmia · 2024-02-09 16:22:29

aleb wrote:

All good now, I ran this (again?) and it started updating
$ sudo pacman -Sy archlinux-keyring && sudo pacman -Su

Likely just from redownloading it, not the keyring update.

mountaintrek · 2024-02-09 18:28:37

aleb wrote:

...
I'm not downloading Community for a particular reason, must be some leftover.
...

Just a note:

Community doesn't exist any more. It was merged into extra and can be removed.

Source:

- Git migration announcement
- Monthly Report : Arch Linux in May 2023 : Git packaging

tsrodr · 2024-02-16 14:23:17

I had this issue this week (after not updating for too long, mea culpa) with different signatures. None of the advice here worked, save for waivering signature verification, which I did as a last resort but is obviously the less safe option.

I'm guessing my case at least was a mirror issue with some package or signature being out of date, but how could I verify if this is the case? Other than manually changing mirrors until one doesn't give a signature error, I mean.

I also still had Community enabled, could this've been the issue? In my case, the affected packages were nvidia-utils, musescore, blender and kdenlive, which are all currently in Extra, but I don't know if they were in Community prior.

At least for the moment my case is solved, I'm asking mostly because there might be useful information to add to relevant wiki pages.

seth · 2024-02-16 14:53:22

The issue *here* is about a broken package (most likely) - whether that's been your problem depends on what the actual errors were - the details matter a lot here.
Typical causes would be broken mirrors, broken traffic or broken filesystem.

waivering signature verification, which I did as a last resort

Don't. Ever. There's always a better solution even if it might require incremental updates.

Arch Linux

#1 2024-02-09 15:26:00

[SOLVED] Invalid or corrupted package

#2 2024-02-09 15:28:37

Re: [SOLVED] Invalid or corrupted package

#3 2024-02-09 15:31:09

Re: [SOLVED] Invalid or corrupted package

#4 2024-02-09 15:32:27

Re: [SOLVED] Invalid or corrupted package

#5 2024-02-09 15:36:42

Re: [SOLVED] Invalid or corrupted package

#6 2024-02-09 16:22:29

Re: [SOLVED] Invalid or corrupted package

#7 2024-02-09 18:28:37

Re: [SOLVED] Invalid or corrupted package

#8 2024-02-16 14:23:17

Re: [SOLVED] Invalid or corrupted package

#9 2024-02-16 14:53:22

Re: [SOLVED] Invalid or corrupted package

Board footer