pacman doesn't trust dev keys <solved>

JanVonNebenan · 2015-10-24 21:54:23

Since a week or so I seem to be stuck when trying to upgrade the system - most (all?) developer keys aren't recognized as valid any more and pacman -Syu bails out without updating anything.

Here's the output upgrading a (random) package:

sudo pacman -Sv gtk-update-icon-cache 
Root      : /
Conf File : /etc/pacman.conf
DB Path   : /var/lib/pacman/
Cache Dirs: /var/cache/pacman/pkg/  
Lock File : /var/lib/pacman/db.lck
Log File  : /var/log/pacman.log
GPG Dir   : /etc/pacman.d/gnupg/
Targets   : gtk-update-icon-cache
resolving dependencies...
looking for conflicting packages...

Packages (1) gtk-update-icon-cache-3.18.2-1

Total Download Size:   0.01 MiB
Total Installed Size:  0.03 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages ...
 gtk-update-icon-cache-3.18.2-1-x86_64                                287.0   B  0.00B/s 00:00 [--------------------------------------------------------] 100%
(1/1) checking keys in keyring                                                                 [--------------------------------------------------------] 100%
(1/1) checking package integrity                                                               [--------------------------------------------------------] 100%
error: gtk-update-icon-cache: signature from "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" is invalid
:: File /var/cache/pacman/pkg/gtk-update-icon-cache-3.18.2-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

Here's what I've tried so far:
- changed the key-server
- deleted local package cache
- verified that archlinux-keyring is up to date
- pacman-key --populate archlinux
- deleted /etc/pacman.d/gnupg/ and rerun pacman --init

From all I can tell the key is present:

gpg --homedir /etc/pacman.d/gnupg --list-keys

...
pub   rsa2048/4FA415FA 2011-08-25                                                                                                                             
uid         [  full  ] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>                                                                               
uid         [  full  ] Jan Alexander Steffens (heftig) <jan-alexander.steffens@smail.inf.h-brs.de>                                                            
uid         [  full  ] [jpeg image of size 3865]                                                                                                              
sub   rsa2048/1151A394 2011-08-25  
...

..and valid:

sudo pacman-key -f 4FA415FA                                                                                                                    
pub   rsa2048/4FA415FA 2011-08-25
      Key fingerprint = 8218 F888 49AA C522 E94C  F470 A5E9 288C 4FA4 15FA
uid         [  full  ] Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
uid         [  full  ] Jan Alexander Steffens (heftig) <jan-alexander.steffens@smail.inf.h-brs.de>
uid         [  full  ] [jpeg image of size 3865]
sub   rsa2048/1151A394 2011-08-25

.. signing it (shouldn't be required) didn't change much

sudo pacman-key --lsign-key 4FA415FA
  -> Locally signing key 4FA415FA...
==> Updating trust database...
gpg: next trustdb check due at 2016-01-22

Running out of ideas - anyhelp appreciated.

Thanks!

Last edited by JanVonNebenan (2015-10-25 06:26:17)

jasonwryan · 2015-10-24 21:56:14

If pacman makes a recommendation [Y/n], it is almost always a good idea to accept it (Y).

Do a system upgrade and follow the prompts. Paste the output here if it doesn't work.

JanVonNebenan · 2015-10-24 22:08:19

Sorry, I've should have mentioned that I've done that. Here's the output:

sudo pacman -Sv gtk-update-icon-cache 
Root      : /
Conf File : /etc/pacman.conf
DB Path   : /var/lib/pacman/
Cache Dirs: /var/cache/pacman/pkg/  
Lock File : /var/lib/pacman/db.lck
Log File  : /var/log/pacman.log
GPG Dir   : /etc/pacman.d/gnupg/
Targets   : gtk-update-icon-cache
resolving dependencies...
looking for conflicting packages...

Packages (1) gtk-update-icon-cache-3.18.2-1

Total Download Size:   0.01 MiB
Total Installed Size:  0.03 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages ...
 gtk-update-icon-cache-3.18.2-1-x86_64                                287.0   B  0.00B/s 00:00 [--------------------------------------------------------] 100%
(1/1) checking keys in keyring                                                                 [--------------------------------------------------------] 100%
(1/1) checking package integrity                                                               [--------------------------------------------------------] 100%
error: gtk-update-icon-cache: signature from "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" is invalid
:: File /var/cache/pacman/pkg/gtk-update-icon-cache-3.18.2-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

Will update my initial posting as well.

Last edited by JanVonNebenan (2015-10-24 22:09:10)

jasonwryan · 2015-10-24 22:10:07

See: https://bbs.archlinux.org/viewtopic.php?id=130138

JanVonNebenan · 2015-10-25 01:35:11

jasonwryan wrote:

See: https://bbs.archlinux.org/viewtopic.php?id=130138

Yes. This is a general page about common problems people might experience with Arch Linux.

3. error: failed to commit transaction (invalid or corrupted package)
There are two ways to interpret this message: the signature for the package is invalid, so check your keyring is up-to-date and that you are synching with an up-to-date mirror, or the package was only partially downloaded and is indeed corrupt. If the latter, delete it manually from your cache, resynch your local database and reinstall the package with -Syyu $package.

I don't see any suggestion there that I have not already tried?

Scimmia · 2015-10-25 01:40:03

Delete the file from the cache and try a different mirror.

JanVonNebenan · 2015-10-25 06:25:28

I've chosen a different mirror and the upgrade went through without issues.

Not sure I fully understand what happened here. Why would a particular mirror deliver corrupt / unsigned packages? Wouldn't this be noticed by a lot more people than just me?

jasonwryan · 2015-10-25 06:27:07

The package was corrupt on your system, not on the mirror...

JanVonNebenan · 2015-10-25 06:28:45

jasonwryan wrote:

The package was corrupt on your system, not on the mirror...

But I've deleted the cache over and over again!?

Lone_Wolf · 2015-10-25 11:52:16

delete it manually from your cache

It may be unclear, but what that wants you to do is MANUALLY delete the problem file(s) from /var/cache/pacman/pkg/ .
Is that what you did ?

Scimmia · 2015-10-25 13:28:35

Yes, this package and a couple of others seem to be corrupt on a mirror or two. It's come up a couple of times.

Arch Linux

#1 2015-10-24 21:54:23

pacman doesn't trust dev keys <solved>

#2 2015-10-24 21:56:14

Re: pacman doesn't trust dev keys <solved>

#3 2015-10-24 22:08:19

Re: pacman doesn't trust dev keys <solved>

#4 2015-10-24 22:10:07

Re: pacman doesn't trust dev keys <solved>

#5 2015-10-25 01:35:11

Re: pacman doesn't trust dev keys <solved>

#6 2015-10-25 01:40:03

Re: pacman doesn't trust dev keys <solved>

#7 2015-10-25 06:25:28

Re: pacman doesn't trust dev keys <solved>

#8 2015-10-25 06:27:07

Re: pacman doesn't trust dev keys <solved>

#9 2015-10-25 06:28:45

Re: pacman doesn't trust dev keys <solved>

#10 2015-10-25 11:52:16

Re: pacman doesn't trust dev keys <solved>

#11 2015-10-25 13:28:35

Re: pacman doesn't trust dev keys <solved>

Board footer