[SOLVED] signatures are "unknown trust" even after importing PGP keys

Birdink · 2022-12-08 19:40:26

Hi all, I'm having a hard-to-understand error trying to update Arch.

Things initially started with an "unknown trust" error with one particular signature when updating using "pacman -Syu", but after trying to do "pacman -Su archlinux-keyring" to fix it, things now seem to be more broken than before.
I first tried the following to fix the original signature issue:

# rm -rf /etc/pacman.d/gnupg
# pacman-key --init
# pacman-key --populate archlinux

However "pacman-key --populate archlinux" failed saying that there was no keyring file to import from "/usr/share/pacman/keyrings".

I then attempted to install keyring-archlinux, which somehow was not present on my system. Here's what happens when I do that:

% sudo pacman -Sy archlinux-keyring
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20221123-1

Total Download Size:   1.11 MiB
Total Installed Size:  1.58 MiB

:: Proceed with installation? [Y/n]
:: Retrieving packages...
 archlinux-keyring-20221123-1-any                                                                                 1140.5 KiB  8.57 MiB/s 00:00 [#######################################################################################] 100%
(1/1) checking keys in keyring                                                                                                                 [#######################################################################################] 100%
downloading required keys...
:: Import PGP key 6D42BDD116E0068F, "Christian Hesse <eworm@archlinux.org>"? [Y/n]
(1/1) checking package integrity                                                                                                               [#######################################################################################] 100%
error: archlinux-keyring: signature from "Christian Hesse <eworm@archlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/archlinux-keyring-20221123-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

I've tried running "pacman-key --recv-keys 6D42BDD116E0068F" and "pacman-key --recv-keys" with the other keys for Christian Hesse referenced from here, but that doesn't seem to have solved the problem. No matter what I import, I always get the "signature is unknown trust" error. Does anyone have any idea what could be wrong here? Is gpg itself somehow having a problem actually checking the signature?

Last edited by Birdink (2022-12-08 20:17:37)

loqs · 2022-12-08 19:48:56

Birdink wrote:

I first tried the following to fix the original signature issue:
# rm -rf /etc/pacman.d/gnupg
# pacman-key --init
# pacman-key --populate archlinux
However "pacman-key --populate archlinux" failed saying that there was no keyring file to import from "/usr/share/pacman/keyrings".

This means the master keys were not imported and given trust. As a consequence developer keys you import which have been signed by the master keys will not be given any trust.
Edit:
You can use Package_signing#Adding_unofficial_keys to add the master keys.
Then you should be able to install archlinux-keyring. After that you can then reset all keys.

Last edited by loqs (2022-12-08 20:10:51)

Birdink · 2022-12-08 20:12:42

loqs wrote:

Birdink wrote:
I first tried the following to fix the original signature issue:
# rm -rf /etc/pacman.d/gnupg
# pacman-key --init
# pacman-key --populate archlinux
However "pacman-key --populate archlinux" failed saying that there was no keyring file to import from "/usr/share/pacman/keyrings".
This means the master keys were not imported and given trust. As a consequence developer keys you import which have been signed by the master keys will not be given any trust.

Is there somewhere I can get those keys, or a keyring file, so that "pacman-key --populate" succeeds? I definitely don't remember every deleting any keyring files from /usr/share/pacman/keyrings.
Do I need to import and sign them manually using "pacman-key --recv-keys" and "pacman-key --lsign-key"?

EDIT: Just saw your update, thanks! Doing --lsign-key for the necessary key and then running "pacman -S archlinux-keyring" got me to having the keyrings, after which I was able to follow the reset instructions and get everything working again.

Last edited by Birdink (2022-12-08 20:16:43)

Scimmia · 2022-12-08 20:48:18

See the news on the front page, including older news. What likely happened here is that you don't have the base metapackage installed, so now that pacman no longer depends on it, it was an unneeded dependency. I assume you remove those without actually reading them? Also a bad idea.

Birdink · 2022-12-08 20:57:45

Scimmia wrote:

See the news on the front page, including older news. What likely happened here is that you don't have the base metapackage installed, so now that pacman no longer depends on it, it was an unneeded dependency. I assume you remove those without actually reading them? Also a bad idea.

Hm, I was indeed missing base, although I don't seem to see any sign that it was ever installed before in my /var/log/pacman.log. Hopefully having it installed now will keep things more stable.

Arch Linux

#1 2022-12-08 19:40:26

[SOLVED] signatures are "unknown trust" even after importing PGP keys

#2 2022-12-08 19:48:56

Re: [SOLVED] signatures are "unknown trust" even after importing PGP keys

#3 2022-12-08 20:12:42

Re: [SOLVED] signatures are "unknown trust" even after importing PGP keys

#4 2022-12-08 20:48:18

Re: [SOLVED] signatures are "unknown trust" even after importing PGP keys

#5 2022-12-08 20:57:45

Re: [SOLVED] signatures are "unknown trust" even after importing PGP keys

Board footer