You are not logged in.

#1 2022-09-19 01:25:14

Salkay
Member
Registered: 2014-05-22
Posts: 623

archlinux-keyring-wkd-sync.service constantly failing

archlinux-keyring-20220831-1 installed a new systemd service that seems to constantly fail.

# systemctl status archlinux-keyring-wkd-sync.service
× archlinux-keyring-wkd-sync.service - Refresh existing keys of archlinux-keyring
     Loaded: loaded (/usr/lib/systemd/system/archlinux-keyring-wkd-sync.service; static)
     Active: failed (Result: exit-code) since Mon 2022-09-19 07:19:31 AEST; 3h 57min ago
   Duration: 274ms
TriggeredBy: ● archlinux-keyring-wkd-sync.timer
    Process: 1768430 ExecStart=/usr/bin//archlinux-keyring-wkd-sync (code=exited, status=2)
   Main PID: 1768430 (code=exited, status=2)
        CPU: 247ms

Sep 19 07:19:31 hostname systemd[1]: Started Refresh existing keys of archlinux-keyring.
Sep 19 07:19:31 hostname archlinux-keyring-wkd-sync[1768430]: Skipping key 51588BCC4F03C4FAA8FAFC09887B16AB27243B9B with UID pacman@localhost...
Sep 19 07:19:31 hostname archlinux-keyring-wkd-sync[1768430]: Skipping key AB19265E5D7D20687D303246BA1DFB64FFF979E7 with UID allan@master-key.archlinux.org...
Sep 19 07:19:31 hostname archlinux-keyring-wkd-sync[1768430]: Skipping key DDB867B92AA789C165EEFA799B729B06A680C281 with UID bpiotrowski@master-key.archlinux.org...
Sep 19 07:19:31 hostname archlinux-keyring-wkd-sync[1768430]: Refreshing key 91FFE0700E80619CEB73235CA88E23E377514E00 with UID florian@master-key.archlinux.org...
Sep 19 07:19:31 hostname archlinux-keyring-wkd-sync[1768596]: gpg: error retrieving 'florian@master-key.archlinux.org' via WKD: Server indicated a failure
Sep 19 07:19:31 hostname archlinux-keyring-wkd-sync[1768596]: gpg: error reading key: Server indicated a failure
Sep 19 07:19:31 hostname systemd[1]: archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Sep 19 07:19:31 hostname systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.

I also found a Reddit thread referring to this issue. Should this job be working, and/or should we just mask it?

Offline

#2 2022-09-19 06:37:01

seth
Member
Registered: 2012-09-03
Posts: 53,250

Re: archlinux-keyring-wkd-sync.service constantly failing

sudo gpg --homedir /etc/pacman.d/gnupg --search-keys florian@master-key.archlinux.org # yes, must be UID0
pacman-key --list-keys florian@master-key.archlinux.org

https://wiki.archlinux.org/title/Pacman … _keyserver

Offline

#3 2022-09-19 09:43:21

Salkay
Member
Registered: 2014-05-22
Posts: 623

Re: archlinux-keyring-wkd-sync.service constantly failing

Thanks @seth.

$ sudo gpg --homedir /etc/pacman.d/gnupg --search-keys florian@master-key.archlinux.org
gpg: WARNING: unsafe permissions on homedir '/etc/pacman.d/gnupg'
gpg: data source: https://162.213.33.9:443
(1)	Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.or
	  4096 bit RSA key A88E23E377514E00, created: 2015-12-17
Keys 1-1 of 1 for "florian@master-key.archlinux.org".  Enter number(s), N)ext, or Q)uit > 1
gpg: key A88E23E377514E00: 2 duplicate signatures removed
gpg: key A88E23E377514E00: "Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$ pacman-key --list-keys florian@master-key.archlinux.org
gpg: Note: trustdb not writable
pub   rsa4096 2015-12-17 [SC]
      91FFE0700E80619CEB73235CA88E23E377514E00
uid           [  full  ] Florian Pritz (Arch Linux Master Key) <florian@master-key.archlinux.org>
sub   rsa4096 2015-12-17 [E]

I'm not entirely sure what I'm doing here. Was this just to confirm that the key existed and was accessible on the server?

Also, it looks like I'm already using the Ubuntu keyserver.

$ cat /etc/pacman.d/gnupg/gpg.conf
no-greeting
no-permission-warning
lock-never
keyserver hkps://keyserver.ubuntu.com
keyserver-options timeout=10

Offline

#4 2022-09-19 12:30:48

seth
Member
Registered: 2012-09-03
Posts: 53,250

Re: archlinux-keyring-wkd-sync.service constantly failing

Was this just to confirm that the key existed and was accessible on the server?

Yes, doesn't look there's any problem.
Does running

sudo archlinux-keyring-wkd-sync

directly cause any problems?

Offline

#5 2022-09-19 20:25:41

NiceGuy
Member
Registered: 2018-02-19
Posts: 50

Re: archlinux-keyring-wkd-sync.service constantly failing

At first, with the introduction of the additional service and timer units I also noticed the errors and in the end I decided to masked them in the meantime after experimentation made no difference.

@seth: Do you think it's just related to WKD servers? Nothing else was changed since I tried it, now it just behaves as intended.

Also there is a minor typo in the archlinux-keyring-wkd-sync.service in ConditionFileIsExecutable and ExecStart.  The path: /usr/bin//archlinux-keyring-wkd-sync is happily executed and the typo makes no difference here, wondered why.


What's odd, there is no different output of archlinux-keyring-wkd-sync no matter how often it is invoked via systemd timer or manually. Does this seem right to you?
I had the impression, after refreshing certain keys, that those keys would be skipped and the process of keyring synchronization would end quicker.

Last edited by NiceGuy (2022-09-19 20:26:42)

Offline

#6 2022-09-19 20:40:07

seth
Member
Registered: 2012-09-03
Posts: 53,250

Re: archlinux-keyring-wkd-sync.service constantly failing

there is no different output of archlinux-keyring-wkd-sync no matter how often it is invoked

It seems to unconditionally refresh all keys and only skip double entries (same key, different ID)

My current theory for Salkay's situation would be that the timer hits before the network is up and that causes the error w/ a bogus status - nothing in #3 suggests any problem w/ the key or keyserver or Salkay's configuration.

Offline

#7 2022-09-20 00:49:15

Salkay
Member
Registered: 2014-05-22
Posts: 623

Re: archlinux-keyring-wkd-sync.service constantly failing

Does running ... directly cause any problems?

@seth Hm, that worked fine when I just tested. I then tried to restart archlinux-keyring-wkd-sync.service, and this started fine now (as per journalctl), but it did fail partway with

Sep 19 23:54:43 hostname archlinux-keyring-wkd-sync[1953092]: Refreshing key 601F20F1D1BBBF4A78CF5B6DF6B1610B3ECDBC9F with UID crerar@archlinux.org...
Sep 19 23:54:49 hostname archlinux-keyring-wkd-sync[1953361]: gpg: error retrieving 'crerar@archlinux.org' via WKD: End of file
Sep 19 23:54:49 hostname archlinux-keyring-wkd-sync[1953361]: gpg: error reading key: End of file
Sep 19 23:54:49 hostname systemd[1]: archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Sep 19 23:54:49 hostname systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.

I wonder if that was just a random network error. I suspect you are correct, and it's a network issue that is causing most of the errors. I do use a VPN, so perhaps it just takes a little while to establish network, which sometimes causes issues for the service.

EDIT: I also see this error on my server that is always connected to the network, so I suspect that any temporary issue with connectivity to the server causes this service to fail.

EDIT2: This seems to occur every few days, even on a stable connection. I just run sudo systemctl restart archlinux-keyring-wkd-sync.service, which seems to fix it.

Last edited by Salkay (2022-10-22 05:32:24)

Offline

#8 2022-10-25 19:17:41

MrDuck
Member
Registered: 2022-10-25
Posts: 2

Re: archlinux-keyring-wkd-sync.service constantly failing

Hope this is not necro-bumping but title seemed appropriate and may be a "version-agnostic" potential solution ...

If the /usr/bin/gpg command fails, on line 58 of the service script, the script will terminate with an error and so the service fails.

If we change line 58 of /usr/bin/archlinux-keyring-wkd-sync from:

"${gpg_locate_external[@]}" "${fpr_email[1]}"

to:

"${gpg_locate_external[@]}" "${fpr_email[1]}" || true

... then the script will continue to process the remaining keys without error.

Perhaps the script should be patched to do this?

Offline

#9 2022-10-25 19:46:59

seth
Member
Registered: 2012-09-03
Posts: 53,250

Re: archlinux-keyring-wkd-sync.service constantly failing

This would be better discussed at https://gitlab.archlinux.org/archlinux/ … x-keyring/

Offline

#10 2022-10-25 20:16:15

MrDuck
Member
Registered: 2022-10-25
Posts: 2

Re: archlinux-keyring-wkd-sync.service constantly failing

Offline

#11 2022-10-25 23:25:33

Salkay
Member
Registered: 2014-05-22
Posts: 623

Re: archlinux-keyring-wkd-sync.service constantly failing

Thanks for the detective work @MrDuck and thanks for filing the issue. Good to know, and I can always patch it if it's not changed upstream.

Offline

#12 2022-11-22 08:25:53

drankinatty
Member
From: Nacogdoches, Texas
Registered: 2009-04-24
Posts: 70
Website

Re: archlinux-keyring-wkd-sync.service constantly failing

I am hit by this very problem after doing a $ sudo pacman -Syu. I have journal errors that are 10+ lines long for what looks like every key in the keyring, e.g.

Nov 22 02:20:01 valkyrie archlinux-keyring-wkd-sync[12851]: Refreshing key 64B13F7117D6E07D661BBCE0FE763A64F5E54FD6 with UID kpcyrd@archlinux.org...
Nov 22 02:20:16 valkyrie archlinux-keyring-wkd-sync[18893]: gpg: error retrieving 'kpcyrd@archlinux.org' via WKD: Connection timed out
Nov 22 02:20:16 valkyrie archlinux-keyring-wkd-sync[18893]: gpg: error reading key: Connection timed out
Nov 22 02:20:16 valkyrie archlinux-keyring-wkd-sync[12851]: Skipping key A2FF3A36AAA56654109064AB19802F8B0D70FC30 with UID jan.steffens@gmail.com...
Nov 22 02:20:16 valkyrie archlinux-keyring-wkd-sync[12851]: Skipping key A2FF3A36AAA56654109064AB19802F8B0D70FC30 with UID jan.steffens@ltnglobal.com...
Nov 22 02:20:16 valkyrie archlinux-keyring-wkd-sync[12851]: Refreshing key A2FF3A36AAA56654109064AB19802F8B0D70FC30 with UID heftig@archlinux.org...
Nov 22 02:20:31 valkyrie archlinux-keyring-wkd-sync[18896]: gpg: error retrieving 'heftig@archlinux.org' via WKD: Connection timed out
Nov 22 02:20:31 valkyrie archlinux-keyring-wkd-sync[18896]: gpg: error reading key: Connection timed out
Nov 22 02:20:31 valkyrie archlinux-keyring-wkd-sync[12851]: Skipping key 05C7775A9E8B977407FE08E69D4C5AA15426DA0A with UID frederik.schwan@linux.com...
Nov 22 02:20:31 valkyrie archlinux-keyring-wkd-sync[12851]: Skipping key 05C7775A9E8B977407FE08E69D4C5AA15426DA0A with UID frederik@schwan.it...
Nov 22 02:20:31 valkyrie archlinux-keyring-wkd-sync[12851]: Skipping key 05C7775A9E8B977407FE08E69D4C5AA15426DA0A with UID frederik@tty42.de...

The error messages should output the IP for the failing refresh so we can confirm it isn't part of a block that is in iptables. With many of the Arch servers spread all over the world, and part of IP blocks that in the past have been suspect within RIPE or other bodies, that would be helpful.

Has the fix been incorporated upstream?  The update went fine, the journal is just getting filled with the "Skipping key" errors.

Last edited by drankinatty (2022-11-22 08:35:00)


David C. Rankin, J.D.,P.E.

Offline

#13 2022-11-22 09:18:46

Salkay
Member
Registered: 2014-05-22
Posts: 623

Re: archlinux-keyring-wkd-sync.service constantly failing

It's "fixed" as per the linked issue, but it still fails for me every couple of days. I actually created an account to comment on this issue and mention the failing, but my comment was ignored.

What does this service actually do? Can we just mask it?

Offline

#14 2022-11-22 11:05:47

seth
Member
Registered: 2012-09-03
Posts: 53,250

Re: archlinux-keyring-wkd-sync.service constantly failing

systemctl show archlinux-keyring-wkd-sync.service wrote:

Description=Refresh existing keys of archlinux-keyring

It's to combat all the "Q: helps, update failed!!! / A: pacman -Sy archlinux-keyring; pacman -Syu" situations.
You're better off w/ the script "failing" on individual keys (typically because of local flaky network) and have them hopefully just sanitized than running into the keyring errors whenever you occasionally update. But you can mask it and then just remember to pre-update the keyring when you get related failures.

Offline

#15 2022-11-22 11:32:29

Salkay
Member
Registered: 2014-05-22
Posts: 623

Re: archlinux-keyring-wkd-sync.service constantly failing

Thanks @seth, that makes sense.

Offline

#16 2023-02-28 15:56:46

ckujau
Member
Registered: 2017-02-02
Posts: 10

Re: archlinux-keyring-wkd-sync.service constantly failing

So, for some reason searching the forums for "archlinux-keyring-wkd-sync" returned no results, but with in internet search engine I found this thread. On this machine "archlinux-keyring-wkd-sync.service" has been failing for a few days now, and executing it manually reveals:

$ sudo bash -x /usr/bin//archlinux-keyring-wkd-sync
[....]
+ printf 'Refreshing key %s with UID %s...\n' 04CF0CD6F6EE93AE1896F58407D06351CA5B31BE tpkessler@archlinux.org
Refreshing key 04CF0CD6F6EE93AE1896F58407D06351CA5B31BE with UID tpkessler@archlinux.org...
+ gpg --homedir /etc/pacman.d/gnupg/ --quiet --no-permission-warning --auto-key-locate clear,nodefault,wkd --locate-external-keys tpkessler@archlinux.org
pub   ed25519 2022-12-07 [SC] [expires: 2023-12-07]
      04CF0CD6F6EE93AE1896F58407D06351CA5B31BE
uid           [  full  ] Torsten Keßler <tpkessler@archlinux.org>
sub   cv25519 2022-12-07 [E] [expires: 2023-12-07]

+ read -ra fpr_email
+ exit 3

...which matches the return code when the service is executed from its timer:

$ sudo journalctl -u archlinux-keyring-wkd-sync
[...]
Feb 27 19:13:46 archlinux-keyring-wkd-sync[2406472]: Refreshing key 04CF0CD6F6EE93AE1896F58407D06351CA5B31BE with UID tpkessler@archlinux.org...
Feb 27 19:13:46 archlinux-keyring-wkd-sync[2406686]: pub   ed25519 2022-12-07 [SC] [expires: 2023-12-07]
Feb 27 19:13:46 archlinux-keyring-wkd-sync[2406686]:       04CF0CD6F6EE93AE1896F58407D06351CA5B31BE
Feb 27 19:13:46 archlinux-keyring-wkd-sync[2406686]: uid           [  full  ] Torsten Keßler <tpkessler@archlinux.org>
Feb 27 19:13:46 archlinux-keyring-wkd-sync[2406686]: sub   cv25519 2022-12-07 [E] [expires: 2023-12-07]
Feb 27 19:13:46 systemd[1]: archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED   <== !!
Feb 27 19:13:46 systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.
Feb 27 19:13:46 systemd[1]: archlinux-keyring-wkd-sync.service: Consumed 3.822s CPU time.
Feb 27 19:18:47 systemd[1]: archlinux-keyring-wkd-sync.service: Scheduled restart job, restart counter is at 2.
Feb 27 19:18:47 systemd[1]: Stopped Refresh existing keys of archlinux-keyring.
Feb 27 19:18:47 systemd[1]: archlinux-keyring-wkd-sync.service: Consumed 3.822s CPU time.
Feb 27 19:18:47 systemd[1]: archlinux-keyring-wkd-sync.service: Start request repeated too quickly.
Feb 27 19:18:47 systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.
Feb 27 19:18:47 systemd[1]: Failed to start Refresh existing keys of archlinux-keyring.

...but I couldn't really figure out why it exits with RC 3 on the last entry. Then again, I'm not a big fan on that whole "<<< $fingerprint_mboxes" construction, I find it hard to read. With the following change the service exits with RC 0 again:

--- /usr/bin//archlinux-keyring-wkd-sync.orig   2023-01-30 10:15:48.000000000 +0100
+++ /usr/bin//archlinux-keyring-wkd-sync        2023-02-28 16:51:20.886625690 +0100
@@ -34,10 +34,9 @@ gpg_locate_external=(
 # e.g.:
 # C7E7849466FE2358343588377258734B41C31549 dvzrv@archlinux.org
 # 8FC15A064950A99DD1BD14DD39E4B877E62EB915 svenstaro@gmail.com
-fingerprint_mboxes="$(
+fingerprint_mboxes() {
     gpg --homedir "$homedir" --no-permission-warning --list-keys --list-options show-only-fpr-mbox
-)"
-error=0
+}
 
 # a list of <fingerprints> of all revoked keys and keys that have no valid main
 # key signatures
@@ -51,16 +50,17 @@ if (( EUID != 0 )); then
      exit 1
 fi
 
+error=0
 # first update the main signing keys, then the packager keys
 for domain_match in "$main_key_domain_match" "$packager_domain_match"; do
-    while read -ra fpr_email; do
+    fingerprint_mboxes | while read -ra fpr_email; do
         if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then
             printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
             "${gpg_locate_external[@]}" "${fpr_email[1]}" || let ++error
         else
             printf "Skipping key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
         fi
-    done <<< "$fingerprint_mboxes"
+    done
 done
 
 exit ${error}

But, this all worked before, so I wonder why it started failing only now.

Offline

#17 2023-02-28 16:35:00

Raynman
Member
Registered: 2011-10-22
Posts: 1,539

Re: archlinux-keyring-wkd-sync.service constantly failing

It's not the last entry that fails (tpkessler@archlinux.org's key refreshed successfully). $error is a counter for the number of failed "key refresh" iterations. Your patch hides the actual error count from the main script so it always exits with the initial error=0: https://mywiki.wooledge.org/BashFAQ/024

Offline

#18 2023-02-28 16:44:37

ckujau
Member
Registered: 2017-02-02
Posts: 10

Re: archlinux-keyring-wkd-sync.service constantly failing

Gaah, I should've known this would've been to easy :-) So, yeah...disregard that diff then. Still, I feel "|| break" would be more appropriate then, or a more descriptive error message which key actually failed. With that:

+ printf 'Refreshing key %s with UID %s...\n' 0F334D8698881578F65D2AE55ED514A45BD5C938 djgera@archlinux.org
Refreshing key 0F334D8698881578F65D2AE55ED514A45BD5C938 with UID djgera@archlinux.org...
+ gpg --homedir /etc/pacman.d/gnupg/ --quiet --no-permission-warning --auto-key-locate clear,nodefault,wkd --locate-external-keys djgera@archlinux.org
gpg: error retrieving 'djgera@archlinux.org' via WKD: No data
gpg: error reading key: No data
+ break
+ exit 0

Aha! So, this is related then to Remove packager key of djgera ticket then?

Offline

#19 2023-03-01 01:50:21

Ram-Z
Member
Registered: 2012-09-04
Posts: 18

Re: archlinux-keyring-wkd-sync.service constantly failing

FWIW, I have a patch at Collect failed keys and print them at the end which prints all the errors at the end.

I'm currently seeing this output:

Error refreshing key 0F334D8698881578F65D2AE55ED514A45BD5C938 with UID djgera@archlinux.org.
Error refreshing key F4DDD6DDCEC320B665F502AAE8F18BA1615137BC with UID ibiru@archlinux.org.
Error refreshing key EA84EA00866F51FB10CD19AE426991CD8406FFF3 with UID ronald@archlinux.org.
Error refreshing key 2C7849767F14C23890B12791918F7DDFFD8D0B6E with UID andrea@archlinux.org.

Offline

#20 2024-02-10 11:18:17

Kissarch
Member
Registered: 2021-05-29
Posts: 2

Re: archlinux-keyring-wkd-sync.service constantly failing

Hello

So I read this forum thread, thank you as it helped me.

I had the same problem while running "archinstall" to create a new clean archlinux on a new old SSD.
"archinstall" stopped and stayed waiting to finish retrieving the keys... for hours...
And I had some same problems with previous installations of some packages, from AUR or not...

Letting the "archinstall" console running, In another console, I tried

sudo systemctl restart archlinux-keyring-wkd-sync.service

no changes for "archinstall": still waiting...

After that, I modified /etc/pacman.d/gnupg/gpg.conf
inserting this line:

$ cat /etc/pacman.d/gnupg/gpg.conf
...
keyserver hkps://keyserver.ubuntu.com
...

And

sudo systemctl restart archlinux-keyring-wkd-sync.service

archinstall still waiting !

After that, I changed /usr/bin/archlinux-keyring-wkd-sync from:

$ cat /usr/bin/archlinux-keyring-wkd-sync
"${gpg_locate_external[@]}" "${fpr_email[1]}"
to:
"${gpg_locate_external[@]}" "${fpr_email[1]}" || true

And

sudo systemctl restart archlinux-keyring-wkd-sync.service

This time with error !

So I went back to the previous version, without

 || true

And

sudo systemctl restart archlinux-keyring-wkd-sync.service

This time with no error, but "archinstall" still waiting...

I finally thought to read the logs :-) with
as suggested at the previous error at restart of the service :

$ journalctl -xeu archlinux-keyring-wkd-sync
...
The unit archlinux-keyring-wkd-sync.service completed and consumed the indicated resources.
systemd[1]: archlinux-keyring-wkd-sync.service: Start request repeated too quickly.
systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'start-limit-hit'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The unit archlinux-keyring-wkd-sync.service has entered the 'failed' state with result 'start-limit-hit'.
Feb 10 10:55:00 Computer01 systemd[1]: Failed to start Refresh existing keys of archlinux-keyring.

I do not know the source of the 'start-limit-hit', if it is from the systemd configuration file

So this time, I executed directly:

$ sudo /usr/bin/archlinux-keyring-wkd-sync

That solved the problem, and "archinstall" "continued",
and finished installing archlinux on my clean old new SSD.

I supposed something limits the download of the keys in systemd configuration file,
I checked:

$ cat /usr/lib/systemd/system/archlinux-keyring-wkd-sync.service
[Unit]
After=network-online.target nss-lookup.target
ConditionPathIsDirectory=/etc/pacman.d/gnupg/
ConditionPathIsReadWrite=/etc/pacman.d/gnupg/
ConditionFileIsExecutable=/usr/bin/archlinux-keyring-wkd-sync
Description=Refresh existing keys of archlinux-keyring
Wants=network-online.target
StartLimitIntervalSec=1hour
StartLimitBurst=3

[Service]
ExecStart=/usr/bin/archlinux-keyring-wkd-sync
Restart=on-failure
RestartSec=5minutes

CapabilityBoundingSet=
DeviceAllow=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=strict
ReadWritePaths=/etc/pacman.d/gnupg
RemoveIPC=true
RestrictAddressFamilies=~AF_PACKET AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources

See:

...
StartLimitIntervalSec=1hour
StartLimitBurst=3
...
RestartSec=5minutes
StartLimitIntervalSec=1hour
...

so

I do not know if it that that solved the problem !
Is it the line to the "ubuntu" "keyserver", to finally retrieve the keys by hand ?
or (not xor !)
Is it that I run directly "archlinux-keyring-wkd-sync" , ignoring the limits...
or (not xor !)
Is it that this keyserver or another one sent the claimed keys...

And it can explain why sometimes I cannot install or update some packages (AUR or not)...
since months, and had to give parameters to makepkg to ignore some keys...

Several years ago, I predicted that all those systems of keys will create problems...
I was true and still be !

Have a very nice day !


PS: my full gpg.conf for pacman.
I commented the ubuntu keyserver as I think it is not the place to put this instruction
and that could limit the keyservers where keys will be search... Will see...

$ cat /etc/pacman.d/gnupg/gpg.conf
no-greeting
no-permission-warning
lock-never
# keyserver hkps://keyserver.ubuntu.com
keyserver-options timeout=10
keyserver-options import-clean
keyserver-options no-self-sigs-only

Kiss (Keep It Simple Stupid) + Arch (since 2009) + Foss (Free Open Source Software)

Offline

#21 2024-02-10 12:06:07

WorMzy
Forum Moderator
From: Scotland
Registered: 2010-06-16
Posts: 12,033
Website

Re: archlinux-keyring-wkd-sync.service constantly failing

Mod note: Closing this old topic.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Board footer

Powered by FluxBB