Arch Linux

Rommy

Member

Registered: 2014-10-17

Posts: 51

[SOLVED] openssl package is marginal trust

Hello,

I wanted to build a package in a clean environment with extra-x86_64-build from the devtools as documented here.
When creating the chroot, this error occured:

error: openssl: signature from "Pierre Schmitz <pierre@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/openssl-3.0.8-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] error: failed to commit transaction (invalid or corrupted package)

I thought, maybe the archlinx-keyring is outofdate and reinstalled archlinux-keyring. But the problem still persists.
I was a bit confused, since my system already installed openssl-3.0.8-1 a few weeks ago. So I decided to reinstall it, but I get the same error again with `pacman -S openssl`.
I get the same error than above. I tried `pacman-key --refresh-keys`, init, populate, refresh-keys again, but the error does not go away.

What can I do to fix this problem?

Last edited by Rommy (2023-03-19 16:56:31)

Rommy

Member

Registered: 2014-10-17

Posts: 51

Re: [SOLVED] openssl package is marginal trust

Here is the pacman-key log of the package signature:

$ pacman-key -v /var/cache/pacman/pkg/openssl-3.0.8-1-x86_64.pkg.tar.zst.sig
==> Checking /var/cache/pacman/pkg/openssl-3.0.8-1-x86_64.pkg.tar.zst.sig... (detached)
gpg: Signature made Tue 07 Feb 2023 05:40:50 PM CET
gpg:                using EDDSA key 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.org>" [marginal]
gpg:                 aka "Pierre Schmitz <pierre@archlinux.de>" [undefined]
gpg: WARNING: This key is not certified with sufficiently trusted signatures!
gpg:          It is not certain that the signature belongs to the owner.
Primary key fingerprint: 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C
==> ERROR: The signature identified by /var/cache/pacman/pkg/openssl-3.0.8-1-x86_64.pkg.tar.zst.sig could not be verified.

Last edited by Rommy (2023-03-18 14:47:22)

seth

Member

Registered: 2012-09-03

Posts: 50,932

Re: [SOLVED] openssl package is marginal trust

pacman -Qi archlinux-keyring
pacman-key -l pierre@archlinux.org

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Rommy

Member

Registered: 2014-10-17

Posts: 51

Re: [SOLVED] openssl package is marginal trust

$ pacman -Qi archlinux-keyring
Name            : archlinux-keyring
Version         : 20230225-1
Description     : Arch Linux PGP keyring
Architecture    : any
URL             : https://gitlab.archlinux.org/archlinux/archlinux-keyring/
Licenses        : GPL3
Groups          : None
Provides        : None
Depends On      : pacman
Optional Deps   : None
Required By     : base
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 1643.45 KiB
Packager        : Christian Hesse <eworm@archlinux.org>
Build Date      : Sat 25 Feb 2023 11:24:41 PM CET
Install Date    : Tue 28 Feb 2023 07:01:31 PM CET
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

$ pacman-key -l pierre@archlinux.org
pub   rsa2048 2011-04-10 [SC]
      4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
uid           [marginal] Pierre Schmitz <pierre@archlinux.de>
uid           [marginal] Pierre Schmitz <pierre@archlinux.org>
sub   rsa2048 2011-04-10 [E]

pub   ed25519 2022-10-31 [SC] [expires: 2037-10-27]
      3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
uid           [marginal] Pierre Schmitz <pierre@archlinux.org>
uid           [ unknown] Pierre Schmitz <pierre@archlinux.de>
sub   ed25519 2022-10-31 [A] [expires: 2037-10-27]
sub   cv25519 2022-10-31 [E] [expires: 2037-10-27]

seth

Member

Registered: 2012-09-03

Posts: 50,932

Re: [SOLVED] openssl package is marginal trust

arch-keyring is up to date, but

      3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C
uid           [marginal] Pierre Schmitz <pierre@archlinux.org>

is bad.

pacman -S archlinux-keyring 2>&1 | curl -F 'file=@-' 0x0.st

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Rommy

Member

Registered: 2014-10-17

Posts: 51

Re: [SOLVED] openssl package is marginal trust

I did it twice, but problem persists:
https://0x0.st/H-tV.txt
https://0x0.st/H-tJ.txt

Edit: The system is in a qemu vm, but I don't think it should make a difference?

Last edited by Rommy (2023-03-19 15:54:22)

Rommy

Member

Registered: 2014-10-17

Posts: 51

Re: [SOLVED] openssl package is marginal trust

Before running `pacman-key --init` and `pacman-key --populate`, I did NOT remove `/etc/pacman.d/gnupg`. I did now and after running the commands, openssl installs flawlessly.
I'd like to know why the problem appeared. I have a backup of the "corrupt" system, if anyone has ideas to investigate this.

seth

Member

Registered: 2012-09-03

Posts: 50,932

Re: [SOLVED] openssl package is marginal trust

Compare the old gpg.conf w/ the new one (different keyserver?) but in doubt the trustdb.gpg got "corrupted".

gpg --export-ownertrust --trustdb-name /path/to/backup/trustdb.gpg | grep ':4: > some.txt

Compare the keys there to the ones in the good trustdb ("pacman-key --listkeys 12345678997123456789")

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc