You are not logged in.

#1 2023-05-12 23:58:43

Registered: 2021-07-25
Posts: 13

Keyring issues and validation

Wanted to upgrade my OS today, as I tend to do each month or so, with pacman -Syuu, packages download, it prompted me to add quite a lot of new PGP keys, I allowed that, but then it wouldn't go through - it happened from time to time to me, I recalled I just have to reinstall archlinux-keyring first and that should do it - I couldn't reinstall it however, pacman was failing at adding Christian Hesse's key, so I figured I probably have my keyrings messed up somehow, so backed it up, followed steps from wiki: … l_the_keys

But this wouldn't work either, as for some reason my /usr/share/pacman/ dir lacked any keyrings in it..

In the end I just disabled signature verification just to install archlinux-keyring (same with chaotic), and enabled it back again..

I was able to update and install other packages, although I don't feel too comfortable about it - how really dangerous was what I did? Do I actually have to worry about it?

Can I somehow verify that every package is installed with the right key and that keyrings my pacman now uses aren't tampered with?

Best regards!


#2 2023-05-13 02:07:08

Registered: 2012-09-01
Posts: 12,432

Re: Keyring issues and validation

`pacman -Sw <package>` will re-check the package that's in the cache (or download it if it isn't there, but that doesn't help you in this case).


#3 2023-05-13 02:25:37

Registered: 2021-07-25
Posts: 13

Re: Keyring issues and validation

I was thinking about upgrading system and packages first, purging keys, getting the `legit ones` using some gpg validations, and reinstalling everything, but this seems a bit paranoid, I've used few mirrorlists to make sure I wasn't grabbing some nasty packages when keys started failing on me.. I'm not really sure why this was even a thing tho, generally updating the keyring was enough..


Board footer

Powered by FluxBB