You are not logged in.

#1 2023-01-05 17:24:38

thoth
Member
Registered: 2010-01-10
Posts: 79

archlinux-keyring abuse

I am used to the normal updating of the keyring every so often where you have to update archlinux-keyring, but I've noticed lately that even if you update the keyring immediately before updating and as a separate command preceding the update command, pacman will still fail:

sudo pacman -Sy archlinux-keyring && sudo pacman -Su

The only method that seems to work is to violently abuse pacman:

punishPacman.sh

#!/bin/bash
# This script will take pacman behind the barn and repeatedly shove keyrings in his nose
for i in {1..9}; do sudo pacman -Sy archlinux-keyring --noconfirm; done  
echo 'Now that pacman should be puking keyrings an update will work'
sudo pacman -Su

Help me stop beating pacman like a rented mule, what is the proper way to maintain this keyring?

Here is an example of it failing just after updating the keyring:

 sudo pacman -Sy archlinux-keyring --noconfirm && sudo pacman -Su --noconfirm
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
 xyne-any is up to date
 xyne-x86_64 is up to date
 archrepo is up to date
warning: archlinux-keyring-20221220-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20221220-1

Total Installed Size:  1.60 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                                                                                                                                                                                  [#############################################################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                                                                                [#############################################################################################################################################] 100%
(1/1) loading package files                                                                                                                                                                                                     [#############################################################################################################################################] 100%
(1/1) checking for file conflicts                                                                                                                                                                                               [#############################################################################################################################################] 100%
(1/1) checking available disk space                                                                                                                                                                                             [#############################################################################################################################################] 100%
:: Processing package changes...
(1/1) reinstalling archlinux-keyring                                                                                                                                                                                            [#############################################################################################################################################] 100%
==> Appending keys from archlinux.gpg...
==> Updating trust database...
gpg: next trustdb check due at 2023-04-21
==> Updating trust database...
gpg: next trustdb check due at 2023-04-21
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
warning: dependency cycle detected:
warning: openshadinglanguage will be installed before its openimageio dependency

....lots of packages

(366/366) checking keys in keyring                                                                              [###################################################################] 100%
(366/366) checking package integrity                                                                            [###################################################################] 100%
error: emacs: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/emacs-28.2-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: vigra: signature from "Evangelos Foutras <evangelos@foutrelis.com>" is invalid
:: File /var/cache/pacman/pkg/vigra-1.11.1.r67+g093d57d1-5-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: gimp: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/gimp-2.10.32-3-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: wxwidgets-common: signature from "Evangelos Foutras <evangelos@foutrelis.com>" is invalid
:: File /var/cache/pacman/pkg/wxwidgets-common-3.2.1-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: wxwidgets-gtk3: signature from "Evangelos Foutras <evangelos@foutrelis.com>" is invalid
:: File /var/cache/pacman/pkg/wxwidgets-gtk3-3.2.1-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: linux: signature from "Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>" is invalid
:: File /var/cache/pacman/pkg/linux-6.1.3.arch1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: opera: signature from "Ike Devolder <ike.devolder@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/opera-94.0.4606.54-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: python-pillow: signature from "Evangelos Foutras <evangelos@foutrelis.com>" is invalid
:: File /var/cache/pacman/pkg/python-pillow-9.4.0-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: sdl2_image: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/sdl2_image-2.6.2-3-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: shellcheck: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/shellcheck-0.9.0-5-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: xsane: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/xsane-0.999-6-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: yakuake: signature from "Antonio Rojas <arojas@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/yakuake-22.12.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

Last edited by thoth (2023-01-05 18:18:04)

Offline

#2 2023-01-05 17:43:03

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: archlinux-keyring abuse

Is the system clock correct?

Otherwise perhaps try https://wiki.archlinux.org/title/Pacman … l_the_keys.

Offline

#3 2023-01-05 17:46:34

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: archlinux-keyring abuse

Manually updating archlinux-keyring should not be needed on each update. That’s an emergency procedure, which may be needed for systems that were left unmaintained for a long time.⁽¹⁾ Having to do this is an exceptional situation.

Almost always doing simple `sudo pacman -Syu` should work flawlessly.

The log you provided also indicates your keyring is up to date and reinstalling it does not introduce any chances. So the presence of corrupted packages seem to indicate that… the packages are actually corrupted.

Did you try using a different mirror? Are you using HTTPS only mirrors?

Recently archlinux-keyring-wkd-sync.{timer,service} has been introduced and there were reported various trouble caused by that. You may check that too, but only after eliminating the much more likely causes given above.
____
⁽¹⁾ Last year there was a sequence of frequent archlinux-keyring updates, which indeed yielded some trouble even to people who update often enough (for some definition of “often enough”). But that’s a rare occurrence.

Last edited by mpan (2023-01-05 17:50:10)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#4 2023-01-05 18:14:41

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

Is the system clock correct?

synchronized:

timedatectl status             
               Local time: Thu 2023-01-05 12:03:04 CST
           Universal time: Thu 2023-01-05 18:03:04 UTC
                 RTC time: Thu 2023-01-05 18:03:04
                Time zone: America/Rainy_River (CST, -0600)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

Did you try using a different mirror? Are you using HTTPS only mirrors?

I regularly update my mirror list with reflector, and only accept https protocol mirrors:

  sudo reflector \
      --threads 10 \
      --verbose \
      --save "/etc/pacman.d/mirrorlist" \
      --protocol https \
      --sort rate \
      --age 24 \
      --score 100 \
      --fastest 100 \
      --latest 100

Recently archlinux-keyring-wkd-sync.{timer,service} has been introduced and there were reported various trouble caused by that. You may check that too, but only after eliminating the much more likely causes given above.

is that service supposed to be enabled by default?  looked dead here:

systemctl status archlinux-keyring-wkd-sync.service
○ archlinux-keyring-wkd-sync.service - Refresh existing keys of archlinux-keyring
     Loaded: loaded (/usr/lib/systemd/system/archlinux-keyring-wkd-sync.service; static)
     Active: inactive (dead)
TriggeredBy: ● archlinux-keyring-wkd-sync.timer

But enabling it looks kind of ugly:

sudo systemctl enable --now archlinux-keyring-wkd-sync.service
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
 
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.

nonetheless it does appear to be running now:

systemctl status archlinux-keyring-wkd-sync.service      
● archlinux-keyring-wkd-sync.service - Refresh existing keys of archlinux-keyring
     Loaded: loaded (/usr/lib/systemd/system/archlinux-keyring-wkd-sync.service; static)
     Active: active (running) since Thu 2023-01-05 12:10:06 CST; 12s ago
TriggeredBy: ● archlinux-keyring-wkd-sync.timer
   Main PID: 5552 (archlinux-keyri)
      Tasks: 4 (limit: 96226)
     Memory: 18.7M
        CPU: 583ms
     CGroup: /system.slice/archlinux-keyring-wkd-sync.service
             ├─5552 /usr/bin/bash /usr/bin/archlinux-keyring-wkd-sync
             ├─5563 dirmngr --daemon --homedir /etc/pacman.d/gnupg
             └─5601 gpg --homedir /etc/pacman.d/gnupg/ --quiet --no-permission-warning --auto-key-locate clear,nodefault,wkd --locate-external-keys coderobe@archlinux.org

Last edited by thoth (2023-01-05 19:05:06)

Offline

#5 2023-01-05 18:18:31

ua4000
Member
Registered: 2015-10-14
Posts: 402

Re: archlinux-keyring abuse

mpan wrote:

So the presence of corrupted packages seem to indicate that… the packages are actually corrupted.

check if you can download other things correctly, e.g. by checking the md5...
Files can get corrupted during download or from a faulty hdd/ssd.

thoth wrote:

for i in {1..9}; do sudo pacman -Sy archlinux-keyring --noconfirm; done

This is of course nonsense and will not solve anything, only hiding the real root cause of the problem.

Offline

#6 2023-01-05 18:22:59

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

This is of course nonsense and will not solve anything, only hiding the real root cause of the problem.

Of course, it is nonesense!  That's why I'm here asking why that "works", it should not, and yet it does, indeed.  Which is the question, why?  Something is broken.

And I can, indeed, go through the process and manually answer 'n' to this:

Do you want to delete it? [Y/n]

Subsequently run that ridiculous for loop and the next update passes on those same exact packages.

Last edited by thoth (2023-01-05 18:27:16)

Offline

#7 2023-01-05 18:27:37

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: archlinux-keyring abuse

thoth wrote:

is that service supposed to be enabled by default?

That service is called by a timer so it's not supposed to be enabled or started directly:

systemctl list-timers archlinux-keyring-wkd-sync

Did you try resetting the keyring, as per my link?

Offline

#8 2023-01-05 18:50:18

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

Head_on_a_Stick wrote:

Did you try resetting the keyring, as per my link?

Not yet, but as soon as I encounter this issue again I will give that a shot before I hit the ridiculous for loop button.

systemctl list-timers archlinux-keyring-wkd-sync
NEXT                        LEFT        LAST                        PASSED       UNIT                             ACTIVATES                         
Thu 2023-01-12 00:15:23 CST 6 days left Thu 2023-01-05 11:01:13 CST 1h 48min ago archlinux-keyring-wkd-sync.timer archlinux-keyring-wkd-sync.service

1 timers listed.

Offline

#9 2023-01-05 19:15:11

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: archlinux-keyring abuse

thoth wrote:

I regularly update my mirror list with reflector,

That’s not what I asked for. I do not ask, how are you choosing the mirror, but if you tested a different mirror.

Using or not using reflector is not playing any role here.

Last edited by mpan (2023-01-05 19:17:06)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#10 2023-01-05 20:09:49

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

mpan wrote:

Using or not using reflector is not playing any role here.

Point taken. Next time before i go reseting the keyring or hitting the ridiculous loop, I will certainly reduce my mirrorlist to a single mirror and do a bit of testing on the package signatures etc.

Offline

#11 2023-01-05 20:32:32

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: archlinux-keyring abuse

Normally pacman uses only a single mirror, the first on the list.⁽¹⁾ So whatever there is after that single line is not important here. Just change the mirror to something else and see if the problem persists.

It may also be worth sharing, which mirror you are currently using. If other people can reproduce the situation, its maintainers should be notified about the situation.
____
⁽¹⁾ Following mirrors will only be used if the former one produces an error during download. Not the case here.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#12 2023-01-05 21:29:45

seth
Member
Registered: 2012-09-03
Posts: 49,981

Re: archlinux-keyring abuse

When it fails and succeeds run and post

pacman-key -l felixonmars@archlinux.org
discount-seth wrote:

Subsequently run that ridiculous for loop and the next update passes on those same exact packages.

If the packages aren't corrupt themselves and reinstalling the same archlinux-keyring package over and over again resolves it (and is required, ie. just waiting - time issue still - doesn't resolve it), I'd start to worry about the drive.
https://wiki.archlinux.org/title/SMART and check the journal for IO errors.

Maybe it's also just a FS problem?
ext4 or btrfs? Or maybe ZFS?

Offline

#13 2023-01-05 22:33:14

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: archlinux-keyring abuse

Just to be clear here, "signature from whoever is invalid" errors are not a keyring problem. Reinstlaling the keyring package, resetting the keys, refreshing the keys, etc, WILL NOT WORK. The problem is that the package files themselves or the signature files are actually corrupt.

Offline

#14 2023-01-06 21:15:49

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: archlinux-keyring abuse

Scimmia wrote:

Just to be clear here, "signature from whoever is invalid" errors are not a keyring problem. Reinstlaling the keyring package, resetting the keys, refreshing the keys, etc, WILL NOT WORK. The problem is that the package files themselves or the signature files are actually corrupt.

The wiki suggests resetting keys for this error. Maybe this should be amended?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#15 2023-01-07 07:44:29

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: archlinux-keyring abuse

Hmm, maybe it should. AFAIK, keyring problems will be about missing keys or trust issues. The sig being invalid means it has everything to check it, the check just failed.

Offline

#16 2023-01-07 14:09:26

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: archlinux-keyring abuse

pacman is very crap and does not distinguish those cases in the error message...

Offline

#17 2023-01-07 14:10:23

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: archlinux-keyring abuse

That part of the error comes from gpgme, though, doesn't it?

Offline

#18 2023-01-07 23:09:26

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: archlinux-keyring abuse

Nope - from pacman.  This definitely could be improved!

Offline

#19 2023-01-09 19:05:41

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

Scimmia wrote:

Just to be clear here, "signature from whoever is invalid" errors are not a keyring problem. Reinstlaling the keyring package, resetting the keys, refreshing the keys, etc, WILL NOT WORK. The problem is that the package files themselves or the signature files are actually corrupt.

Again, I'm well aware this is not supposed to work, and that is the very reason I have made this post.  Stating that it WILL NOT work is not helping.

I suspect that there is some error with a specific mirror, and my usage of reflector is randomly pointing me to some bad mirror that is either lagging on updates and/or possibly has corrupt packages.

I, also, have a local package cache served up over NFS from TrueNAS scale (which is a ZFS mirror locally there).  This might have exacerbated some of my past issues, but is not the case with the incident that I opened this issue with as I had simplified my setup in trying to eliminate any complications.  But I will look out for any issues with ZFS/NFS as Seth has suggested as well, and report back with any errors if I see any there.

Offline

#20 2023-01-10 01:34:14

walkingstickfan
Member
From: USA
Registered: 2021-05-10
Posts: 102

Re: archlinux-keyring abuse

mpan wrote:

Manually updating archlinux-keyring should not be needed on each update. That’s an emergency procedure, which may be needed for systems that were left unmaintained for a long time.⁽¹⁾ Having to do this is an exceptional situation.

Is there a potential issue if one manually updates the archlinux-keyring?

mpan wrote:

Almost always doing simple `sudo pacman -Syu` should work flawlessly.

That hasn't been my experience. I've resorted to always manually update the archlinux-keyring package because I've encountered issues too many times when installing the package with...

 sudo pacman -Syu

Arch Linux with Openbox & Tint2

Offline

#21 2023-01-10 03:32:01

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: archlinux-keyring abuse

walkingstickfan wrote:

Is there a potential issue if one manually updates the archlinux-keyring?

I am saying, that there are recurring reports of issues with the WKD based updater. That’s a hint to OP, so they could check this, if more likely explanations do not work. IF! Not because I claim there is such a problem, but because such a possibility can’t be excluded in this situation. The causes, I believe should be checked first, were given earlier.

walkingstickfan wrote:

That hasn't been my experience. I've resorted to always manually update the archlinux-keyring package because I've encountered issues too many times when installing the package with...

Unless that was during the aforementioned sequence of frequent keyring updates last year, which was an exceptional situation, this shouldn’t be the case. I do not know, what you are observing, but even if the system is updated only once a week, in years before 2022 there were at most a few potential⁽¹⁾ trouble causing updates per year.⁽²⁾ So I can’t really respond to that.
____
⁽¹⁾ More than a single update in a week, without taking into consideration if it included key expirations and if those were affecting a significant packages.
⁽²⁾ archlinux-keyring commits history, ALA entry for archlinux-keyring.

Last edited by mpan (2023-01-10 03:35:51)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#22 2023-01-13 18:03:24

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

Ok, I hit it again, I reset the keys and everything and it persists.  Before I fire off the ridiculous for loop is there anything else I should try?

 $ cat /etc/pacman.d/mirrorlist
Server = https://dfw.mirror.rackspace.com/archlinux/$repo/os/$arch

$ sudo pacman -Sy archlinux-keyring
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
 xyne-any is up to date
 xyne-x86_64 is up to date
 archrepo is up to date
 arch4edu is up to date
warning: archlinux-keyring-20221220-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20221220-1

Total Installed Size:  1.60 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                                                                              [#####################################################################################] 100%
(1/1) checking package integrity                                                                                                            [#####################################################################################] 100%
(1/1) loading package files                                                                                                                 [#####################################################################################] 100%
(1/1) checking for file conflicts                                                                                                           [#####################################################################################] 100%
(1/1) checking available disk space                                                                                                         [#####################################################################################] 100%
:: Processing package changes...
(1/1) reinstalling archlinux-keyring                                                                                                        [#####################################################################################] 100%
==> Appending keys from archlinux.gpg...
==> Updating trust database...
gpg: next trustdb check due at 2023-04-21
==> Updating trust database...
gpg: next trustdb check due at 2023-04-21
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...

$ sudo pacman -Su            
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
sudo pacman-key -l i@jingbei.li             
pub   rsa2048 2016-08-25 [SC]
      CCED9BE21E1173C61DC1C9407931B6D628C8D3BA
uid           [ unknown] Jingbei Li <i@jingbei.li>
sub   rsa2048 2016-08-25 [E]

Packages (30) alsa-card-profiles-1:0.3.64-1  brave-bin-1:1.47.171-1  celt-0.11.3-5  discord-0.0.23-1  gpg-tui-0.9.3-1  gst-plugin-pipewire-1:0.3.64-1  gvim-9.0.1182-1  jupyter-nbformat-5.7.3-1  kdiff3-1.10.0-2  lib32-mesa-22.3.3-1
              lib32-mesa-vdpau-22.3.3-1  libreoffice-fresh-7.4.4-1  libwebp-1.3.0-2  linux-6.1.5.arch2-1  linux-headers-6.1.5.arch2-1  linux-lts-headers-5.15.87-1  mesa-22.3.3-1  mesa-vdpau-22.3.3-1  nvidia-525.78.01-4
              opera-94.0.4606.65-1  php-8.2.1-1  pipewire-1:0.3.64-1  pipewire-alsa-1:0.3.64-1  pipewire-audio-1:0.3.64-1  pipewire-jack-1:0.3.64-1  pipewire-pulse-1:0.3.64-1  python-trove-classifiers-2023.1.12-1
              signal-desktop-6.2.0-1  vim-runtime-9.0.1182-1  zoom-5.13.4-1

Total Download Size:    149.61 MiB
Total Installed Size:  2862.63 MiB
Net Upgrade Size:       306.52 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 celt-0.11.3-5-x86_64                                                                                            71.6 KiB  34.7 KiB/s 00:02 [#####################################################################################] 100%
 brave-bin-1:1.47.171-1-x86_64 is up to date
 zoom-5.13.4-1-x86_64                                                                                           149.5 MiB  10.2 MiB/s 00:15 [#####################################################################################] 100%
 Total (3/3)                                                                                                    149.6 MiB  10.1 MiB/s 00:15 [#####################################################################################] 100%
(30/30) checking keys in keyring                                                                                                            [#####################################################################################] 100%
(30/30) checking package integrity                                                                                                          [#####################################################################################] 100%
error: celt: signature from "Jingbei Li <i@jingbei.li>" is unknown trust
:: File /var/cache/pacman/pkg/celt-0.11.3-5-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: zoom: signature from "Jingbei Li <i@jingbei.li>" is unknown trust
:: File /var/cache/pacman/pkg/zoom-5.13.4-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

$ sudo pacman-key --init
$ sudo pacman-key --populate
==> Appending keys from archlinux.gpg...
==> Updating trust database...
gpg: next trustdb check due at 2023-04-21

$ sudo pacman -Su           
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (30) alsa-card-profiles-1:0.3.64-1  brave-bin-1:1.47.171-1  celt-0.11.3-5  discord-0.0.23-1  gpg-tui-0.9.3-1  gst-plugin-pipewire-1:0.3.64-1  gvim-9.0.1182-1  jupyter-nbformat-5.7.3-1  kdiff3-1.10.0-2  lib32-mesa-22.3.3-1
              lib32-mesa-vdpau-22.3.3-1  libreoffice-fresh-7.4.4-1  libwebp-1.3.0-2  linux-6.1.5.arch2-1  linux-headers-6.1.5.arch2-1  linux-lts-headers-5.15.87-1  mesa-22.3.3-1  mesa-vdpau-22.3.3-1  nvidia-525.78.01-4
              opera-94.0.4606.65-1  php-8.2.1-1  pipewire-1:0.3.64-1  pipewire-alsa-1:0.3.64-1  pipewire-audio-1:0.3.64-1  pipewire-jack-1:0.3.64-1  pipewire-pulse-1:0.3.64-1  python-trove-classifiers-2023.1.12-1
              signal-desktop-6.2.0-1  vim-runtime-9.0.1182-1  zoom-5.13.4-1sudo pacman-key -l i@jingbei.li             
pub   rsa2048 2016-08-25 [SC]
      CCED9BE21E1173C61DC1C9407931B6D628C8D3BA
uid           [ unknown] Jingbei Li <i@jingbei.li>
sub   rsa2048 2016-08-25 [E]


Total Installed Size:  2862.63 MiB
Net Upgrade Size:       306.52 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 brave-bin-1:1.47.171-1-x86_64 is up to date
(30/30) checking keys in keyring                                                                                                            [#####################################################################################] 100%
(30/30) checking package integrity                                                                                                          [#####################################################################################] 100%
error: celt: signature from "Jingbei Li <i@jingbei.li>" is unknown trust
:: File /var/cache/pacman/pkg/celt-0.11.3-5-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: zoom: signature from "Jingbei Li <i@jingbei.li>" is unknown trust
:: File /var/cache/pacman/pkg/zoom-5.13.4-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

EDIT: oh and for Seth:

$ sudo pacman-key -l felixonmars@archlinux.org
pub   rsa4096 2012-01-20 [SC]
      B5971F2C5C10A9A08C60030F786C63F330D7CB92
uid           [  full  ] Felix Yan <felixonmars@archlinux.org>
uid           [marginal] Felix Yan <i@felixc.at>
uid           [  undef ] Felix Yan <yanran@deepin.com>
uid           [  undef ] Felix Yan <felixonmars@qq.com>
uid           [marginal] Felix Yan <felixonmars@163.com>
uid           [marginal] Felix Yan <felixonmars@nyaa.cat>
uid           [marginal] Felix Yan <felixonmars@gmail.com>
uid           [marginal] Felix Yan <felixyan@bbtechgroup.com>
uid           [  undef ] Felix Yan <felixonmars@member.fsf.org>
uid           [marginal] Felix Yan <felixonmars@archlinuxcn.org>
uid           [  undef ] Felix Yan <felixonmars@fedoraproject.org>
uid           [marginal] keybase.io/felixonmars <felixonmars@keybase.io>
uid           [marginal] Yan, Ran (Name on Passport) <felixonmars@gmail.com>
uid           [ unknown] Felix Yan <yanran@uniontech.com>
uid           [ unknown] Felix Yan <felixonmars@189.cn>
uid           [ unknown] Felix Yan <felixonmars@ubuntukylin.com>
sub   rsa4096 2012-01-20 [E]

$ sudo pacman-key -l i@jingbei.li             
pub   rsa2048 2016-08-25 [SC]
      CCED9BE21E1173C61DC1C9407931B6D628C8D3BA
uid           [ unknown] Jingbei Li <i@jingbei.li>
sub   rsa2048 2016-08-25 [E]

EDIT: as an aside note, the problem exists right now for both local storage on ext4, and mounted over NFS on TrueNAS (locally there ZFS).  Same exact packages throw the error.

Last edited by thoth (2023-01-13 18:11:37)

Offline

#23 2023-01-13 18:11:25

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: archlinux-keyring abuse

That is a totally different error, and this one *is* a keyring problem. Jingbei Li is not an Arch Dev/TU/PM, so they're not in Arch's keyring. You have to deal with it yourself. See the instructions for your 3rd party repos.

Offline

#24 2023-01-13 18:18:45

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

Scimmia wrote:

That is a totally different error, and this one *is* a keyring problem. Jingbei Li is not an Arch Dev/TU/PM, so they're not in Arch's keyring. You have to deal with it yourself. See the instructions for your 3rd party repos.

You are correct this is a separate issue, I had enabled the arch4edu repo recently and that apparently had the out of date packages, so unrelated to the original issue.  Deleting those lines from pacman.conf fixed this particular issue.

Last edited by thoth (2023-01-13 18:19:22)

Offline

#25 2023-03-13 15:48:30

thoth
Member
Registered: 2010-01-10
Posts: 79

Re: archlinux-keyring abuse

Ok, I think I ran into this loop again:

error: haskell-optparse-simple: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-optparse-simple-0.1.1.4-227-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: haskell-persistent-sqlite: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-persistent-sqlite-2.13.1.0-45-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: haskell-rio-orphans: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-rio-orphans-0.1.2.0-221-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: haskell-tar-conduit: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-tar-conduit-0.3.2-369-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: haskell-zip-archive: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-zip-archive-0.4.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: haskell-pantry: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-pantry-0.5.7-76-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: haskell-project-template: signature from "Felix Yan <felixonmars@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/haskell-project-template-0.2.1.0-279-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: k3b: signature from "Antonio Rojas <arojas@archlinux.org>" is invalid
:: File /var/cache/pacman/pkg/k3b-1:22.12.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

sudo pacman -Syu  4.91s user 2.88s system 12% cpu 1:03.05 total

1 thoth@eskimo ~ % sudo pacman -Sy archlinux-keyring --noconfirm && sudo pacman -Su --noconfirm
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
 xyne-any is up to date
 xyne-x86_64 is up to date
 archrepo is up to date
warning: archlinux-keyring-20230225-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) archlinux-keyring-20230225-1

Total Installed Size:  1.60 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) reinstalling archlinux-keyring               [######################] 100%
==> Appending keys from archlinux.gpg...
==> Updating trust database...
gpg: next trustdb check due at 2023-07-12
==> Updating trust database...
gpg: next trustdb check due at 2023-07-12
:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
warning: dependency cycle detected:
warning: intel-oneapi-compiler-dpcpp-cpp-runtime will be installed before its intel-oneapi-compiler-shared-runtime dependency

Packages (238) alembic-1.8.4-3  alsa-card-profiles-1:0.3.67-1
               alsa-plugins-1:1.2.7.1-2  attica-5.104.0-1  aubio-0.4.9-15
               baloo-5.104.0-1  blender-17:3.4.1-21  bluez-qt-5.104.0-1
               brave-bin-1:1.49.120-1  breeze-icons-5.104.0-1
               ca-certificates-mozilla-3.89-1  cabal-install-3.4.1.0-82
               cantata-2.5.0-3  chromaprint-1.5.1-7  chromium-111.0.5563.64-2
               cifs-utils-7.0-3  cmake-3.25.3-1  code-1.76.1-1  cuda-12.1.0-1
               cuda-tools-12.1.0-1  cudnn-8.8.0.121-1  darktable-2:4.2.1-2
               electron-22.3.2-1  electron17-17.4.11-6  electron19-19.1.9-5
               eslint-8.36.0-1  ffmpeg-2:6.0-3  firefox-110.0.1-4
               frameworkintegration-5.104.0-1  freerdp-2:2.10.0-2  gavl-1.4.0-7
               geckodriver-0.32.2-1  gegl-0.4.42-3  ghostscript-10.0.0-6
               glib2-2.76.0-1  glibmm-2.66.6-1  glibmm-2.68-2.76.0-1
               gmic-3.2.1-3  go-2:1.20.2-1  go-ethereum-1.11.4-1  godot-4.0-2
               gst-editing-services-1.22.1-2  gst-libav-1.22.1-2
               gst-plugin-gtk-1.22.1-2  gst-plugin-pipewire-1:0.3.67-1
               gst-plugins-bad-1.22.1-2  gst-plugins-bad-libs-1.22.1-2
               gst-plugins-base-1.22.1-2  gst-plugins-base-libs-1.22.1-2
               gst-plugins-good-1.22.1-2  gstreamer-1.22.1-2
               haskell-aeson-2.1.2.0-2  haskell-bitvec-1.1.3.0-39
               haskell-casa-client-0.0.1-558  haskell-casa-types-0.0.2-337
               haskell-conduit-1.3.4.3-32  haskell-conduit-extra-1.3.6-64
               haskell-cryptonite-conduit-0.2.2-559  haskell-dbus-1.2.22-141
               haskell-digest-0.0.1.6-1  haskell-generically-0.1.1-1
               haskell-githash-0.1.6.3-36  haskell-hackage-security-0.6.2.3-21
               haskell-hi-file-parser-0.1.3.0-39  haskell-hpack-0.35.2-14
               haskell-http-4000.4.1-87  haskell-http-conduit-2.3.8-283
               haskell-http-download-0.2.0.0-553  haskell-libyaml-0.1.2-286
               haskell-monad-logger-0.3.39-12
               haskell-mono-traversable-1.0.15.3-116
               haskell-mustache-2.4.1-129  haskell-optparse-simple-0.1.1.4-227
               haskell-pantry-0.5.7-76  haskell-path-0.9.2-107
               haskell-path-io-1.8.0-12  haskell-persistent-2.13.3.5-36
               haskell-persistent-sqlite-2.13.1.0-45
               haskell-project-template-0.2.1.0-279  haskell-rio-0.1.22.0-66
               haskell-rio-orphans-0.1.2.0-221
               haskell-rio-prettyprint-0.1.4.0-23
               haskell-tar-conduit-0.3.2-369  haskell-unliftio-0.2.24.0-1
               haskell-vector-algorithms-0.9.0.1-39
               haskell-xml-conduit-1.9.1.1-178  haskell-yaml-0.11.11.0-4
               haskell-zip-archive-0.4.3-2  hidapi-0.13.1-2  hugin-2022.0.0-5
               hwdata-0.368-1  iana-etc-20230306-1  imagemagick-7.1.1.3-1
               imath-3.1.7-1  intel-oneapi-common-2023.0.0-3
               intel-oneapi-compiler-dpcpp-cpp-runtime-2023.0.0-2
               intel-oneapi-compiler-shared-runtime-2023.0.0-1
               intel-oneapi-openmp-2023.0.0-1  intel-oneapi-tbb-2021.8.0-1
               k3b-1:22.12.3-2  kactivities-5.104.0-1
               kactivities-stats-5.104.0-1  karchive-5.104.0-1  kauth-5.104.0-1
               kbookmarks-5.104.0-1  kcmutils-5.104.0-1  kcodecs-5.104.0-1
               kcompletion-5.104.0-1  kconfig-5.104.0-1
               kconfigwidgets-5.104.0-1  kcoreaddons-5.104.0-1
               kcrash-5.104.0-1  kdbusaddons-5.104.0-1  kdeclarative-5.104.0-1
               kded-5.104.0-1  kdelibs4support-5.104.0-1  kdesu-5.104.0-1
               kdnssd-5.104.0-1  kemoticons-5.104.0-1  kfilemetadata-5.104.0-1
               kglobalaccel-5.104.0-1  kguiaddons-5.104.0-1
               kholidays-1:5.104.0-1  ki18n-5.104.0-1  kiconthemes-5.104.0-1
               kidletime-5.104.0-1  kinit-5.104.0-1  kio-5.104.0-1
               kirigami2-5.104.0-1  kitemmodels-5.104.0-1  kitemviews-5.104.0-1
               kjobwidgets-5.104.0-1  kjs-5.104.0-1  knewstuff-5.104.0-1
               knotifications-5.104.0-1  knotifyconfig-5.104.0-1
               kpackage-5.104.0-1  kparts-5.104.0-1  kpeople-5.104.0-1
               kpipewire-5.27.2-2  kpty-5.104.0-1  kquickcharts-5.104.0-1
               krita-5.1.5-4  kross-5.104.0-1  krunner-5.104.0-1
               kservice-5.104.0-1  ktexteditor-5.104.0-1
               ktextwidgets-5.104.0-1  kunitconversion-5.104.0-1
               kwallet-5.104.0-1  kwayland-5.104.0-1  kwidgetsaddons-5.104.0-1
               kwindowsystem-5.104.0-1  kxmlgui-5.104.0-1
               level-zero-loader-1.8.12-1  lib32-glib2-2.76.0-1
               lib32-nss-3.89-1  libde265-1.0.11-2  libice-1.1.1-2
               libmanette-0.2.6-4  libmfx-23.1.3-2  libnm-1.42.4-1
               libopenmpt-0.6.9-1  libpipewire-1:0.3.67-1  libpulse-16.1-5
               libsquish-1.15-7  libwireplumber-0.4.14-1  libwslay-1.1.1-5
               libxau-1.0.11-2  libxdmcp-1.1.4-2  libxfont2-2.0.6-2
               linux-6.2.5.arch1-1  linux-headers-6.2.5.arch1-1
               linux-lts-6.1.18-1  mixxx-2.3.4-1  mlt-7.14.0-2
               modemmanager-qt-5.104.0-1  networkmanager-1.42.4-1
               networkmanager-qt-5.104.0-1  nss-3.89-1  nushell-0.76.0-1
               nvidia-525.89.02-10  nvidia-lts-1:525.89.02-9  openal-1.23.0-2
               opencolorio-2.2.1-4  opencv-4.7.0-6  openexr-3.1.6-1
               openimageio-2.4.9.0-2  openvpn-2.6.1-1  opera-96.0.4693.50-1
               pcsclite-1.9.9-3  pipewire-1:0.3.67-1  pipewire-alsa-1:0.3.67-1
               pipewire-audio-1:0.3.67-1  pipewire-docs-1:0.3.67-1
               pipewire-jack-1:0.3.67-1  pipewire-pulse-1:0.3.67-1
               plasma-framework-5.104.0-1  prison-5.104.0-1  purpose-5.104.0-1
               python-json-logger-2.0.7-1  python-markdown-it-py-2.2.0-1
               python-pydantic-1.10.6-1  python-pytz-2022.7.1-1
               python-trove-classifiers-2023.3.9-1
               qqc2-desktop-style-5.104.0-1  qt5-script-5.15.13-1
               qt5-wayland-5.15.8+kde+r63-1  qt5-webengine-5.15.13-1
               qt6-webengine-6.4.2-4  rust-1:1.68.0-1  shellcheck-0.9.0-29
               signal-desktop-6.9.0-1  solid-5.104.0-1  sonnet-5.104.0-1
               spice-0.15.1-2  sqlite-3.41.1-1  stack-2.7.5-254
               sudo-1.9.13.p3-1  syndication-5.104.0-1
               syntax-highlighting-5.104.0-1  systemd-253.1-3
               systemd-libs-253.1-3  systemd-sysvcompat-253.1-3
               telegram-desktop-4.6.5-3  threadweaver-5.104.0-1
               tinycompress-1.2.8-2  tinyxml-2.6.2-10
               ttf-linux-libertine-5.3.0-9  ttf-sarasa-gothic-0.40.3-1
               v4l-utils-1.24.1-1  vigra-1.11.1.r67+g093d57d1-7
               vivaldi-5.7.2921.63-1  vivaldi-ffmpeg-codecs-110.0.5481.100-1
               wireplumber-0.4.14-1  xmobar-0.46-12  zerotier-one-1.10.4-1
               zxing-cpp-2.0.0-2

Total Download Size:    3408.27 MiB
Total Installed Size:  18475.21 MiB
Net Upgrade Size:       1673.53 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 k3b-1:22.12.3-2-...    11.0 MiB  9.03 MiB/s 00:01 [######################] 100%
 cabal-install-3....  1618.1 KiB  8.45 MiB/s 00:00 [######################] 100%
 eslint-8.36.0-1-any  1382.4 KiB  10.7 MiB/s 00:00 [######################] 100%
 brave-bin-1:1.49.120-1-x86_64 is up to date
 haskell-persiste...  1367.6 KiB  12.1 MiB/s 00:00 [######################] 100%
 haskell-pantry-0...  1281.7 KiB  11.4 MiB/s 00:00 [######################] 100%
 haskell-hpack-0....   696.1 KiB  9.19 MiB/s 00:00 [######################] 100%
 haskell-hackage-...   623.3 KiB  5.74 MiB/s 00:00 [######################] 100%
 haskell-rio-0.1....   260.7 KiB  3.03 MiB/s 00:00 [######################] 100%
 haskell-unliftio...   229.6 KiB  3.56 MiB/s 00:00 [######################] 100%
 haskell-mustache...   224.5 KiB  3.00 MiB/s 00:00 [######################] 100%
 haskell-persiste...   220.6 KiB  3.37 MiB/s 00:00 [######################] 100%
 haskell-yaml-0.1...   199.9 KiB  2.35 MiB/s 00:00 [######################] 100%
 go-ethereum-1.11...    49.8 MiB  10.3 MiB/s 00:05 [######################] 100%
 haskell-tar-cond...   154.0 KiB  2.15 MiB/s 00:00 [######################] 100%
 haskell-path-0.9...   160.4 KiB  1091 KiB/s 00:00 [######################] 100%
 haskell-monad-lo...   147.5 KiB  2.25 MiB/s 00:00 [######################] 100%
 haskell-rio-pret...   147.2 KiB  2016 KiB/s 00:00 [######################] 100%
 haskell-libyaml-...   142.4 KiB  2035 KiB/s 00:00 [######################] 100%
 haskell-zip-arch...   127.1 KiB  1589 KiB/s 00:00 [######################] 100%
 haskell-hi-file-...    98.8 KiB  1544 KiB/s 00:00 [######################] 100%
 haskell-path-io-...    77.9 KiB  1237 KiB/s 00:00 [######################] 100%
 haskell-http-dow...    73.7 KiB   921 KiB/s 00:00 [######################] 100%
 haskell-casa-cli...    58.2 KiB   831 KiB/s 00:00 [######################] 100%
 haskell-githash-...    57.2 KiB   714 KiB/s 00:00 [######################] 100%
 haskell-casa-typ...    41.9 KiB   499 KiB/s 00:00 [######################] 100%
 haskell-project-...    33.1 KiB   518 KiB/s 00:00 [######################] 100%
 haskell-optparse...    31.9 KiB   532 KiB/s 00:00 [######################] 100%
 haskell-rio-orph...    30.0 KiB   500 KiB/s 00:00 [######################] 100%
 haskell-digest-0...    15.1 KiB   251 KiB/s 00:00 [######################] 100%
 cudnn-8.8.0.121-...   851.4 MiB  10.0 MiB/s 01:25 [######################] 100%
 cuda-tools-12.1....  1085.6 MiB  11.7 MiB/s 01:33 [######################] 100%
 cuda-12.1.0-1-x86_64 1401.2 MiB  12.6 MiB/s 01:51 [######################] 100%
 Total (33/33)           3.3 GiB  30.6 MiB/s 01:51 [######################] 100%
(238/238) checking keys in keyring                 [######################] 100%
(238/238) checking package integrity               [######################] 100%
error: cuda: signature from "Sven-Hendrik Haase <sh@lutzhaase.com>" is invalid
:: File /var/cache/pacman/pkg/cuda-12.1.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] 
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
sudo pacman -Su --noconfirm  11.78s user 10.49s system 12% cpu 2:58.30 total

Only after running the ridiculous "for loop" will pacman finally complete without erring out on various package verifications.

Last edited by thoth (2023-03-13 15:49:37)

Offline

Board footer

Powered by FluxBB