Arch Linux

Malvineous

Member

From: Brisbane, Australia

Registered: 2011-02-03

Posts: 193

Website

[SOLVED] gpg error: Invalid crypto engine, pacman broken

Hi all,

I have what appears to be the same problem in this thread except with a different cause.

In there the issue was a duplicate gpg binary in /usr/local/bin, however I don't have that here so I'm not sure what's causing this problem:

$ pacman --debug -S archlinux-keyring
[...]
debug: found cached pkg: /var/cache/pacman/pkg/archlinux-keyring-20241015-1-any.pkg.tar.zst
debug: found cached pkg: /var/cache/pacman/pkg/archlinux-keyring-20241015-1-any.pkg.tar.zst.sig
checking keyring...
debug: found signature key: 6D42BDD116E0068F
debug: GPGME version: 1.23.2
debug: GPGME engine info: file=/usr/bin/gpg, home=/etc/pacman.d/gnupg/
debug: looking up key 6D42BDD116E0068F locally
debug: gpg error: Invalid crypto engine
checking package integrity...
debug: found cached pkg: /var/cache/pacman/pkg/archlinux-keyring-20241015-1-any.pkg.tar.zst
debug: sig data: iHUEABYKAB0WIQQEKYl95fO9rFN6MGltQr3RFuAGjwUCZw7fHAAKCRBtQr3RFuAGj3iuAQD8RT/+x9EE/jZUH1w7MqTDgb43F8v7EU6v4o/2fgf94gEAqNGQCQgy0CgHb2CzqGszurD7VKOTW+0BOyJ9+rEwTQg=
debug: checking signature for /var/cache/pacman/pkg/archlinux-keyring-20241015-1-any.pkg.tar.zst
error: GPGME error: General error
debug: returning error 53 from _alpm_gpgme_checksig (../lib/libalpm/signing.c: 774) : gpgme error
debug: signature check failed
error: archlinux-keyring: missing required signature
:: File /var/cache/pacman/pkg/archlinux-keyring-20241015-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

It seems I'm getting "invalid crypto engine" for some reason which is causing everything else to fail.  I see this error on every single package I try to install/upgrade.

I disabled signature checking and reinstalled the gpg package (and archlinux-keyring) and those two reinstalled fine, but re-enabling signature checking brings the same error back again.  I wiped and recreated the keyring with pacman-keyring and the problem remains, so it seems that the keyring itself is not the problem.

I'm not very familiar with gpg so I don't really know where to start looking.  I followed the suggestions in the other thread I linked to, but I couldn't see anything out of the ordinary.  No missing .pacnew updates in /etc, no unexpected gpg binaries, no unexpectedly modified files.

$ type -a gpg
gpg is /usr/bin/gpg
gpg is /bin/gpg

$ pacman -Q gpgme gnupg libgcrypt pacman gcc-libs glibc
gpgme 1.23.2-6
gnupg 2.4.5-4
libgcrypt 1.11.0-2
pacman 6.1.0-3
gcc-libs 14.2.1+r32+geccf707e5ce-1
glibc 2.40+r16+gaa533d58ff-2

I have the same package versions and same config on another Arch PC, and it works fine, so that suggests to me it's not related to the binaries or my own config, but rather some data on the system.  If I try to install a package that isn't part of the latest upgrade (i.e. it was downloaded during my last update and installed successfully), it won't reinstall it now, with the same error.  So that suggests to me the remote server is not returning corrupted files, because I can no longer install the same package files that were previously installed successfully.

Any suggestions on how to troubleshoot gpg to figure out why it's complaining?

Last edited by Malvineous (2024-10-26 09:07:09)

loqs

Member

Registered: 2014-03-06

Posts: 18,032

Re: [SOLVED] gpg error: Invalid crypto engine, pacman broken

Please post the output of  `pacman -Qikk pacman gnupg gpgme` and `lddtree /usr/bin/pacman` lddtree is provided by pax-utils.

Last edited by loqs (2024-10-25 17:58:35)

seth

Member

Registered: 2012-09-03

Posts: 58,658

Re: [SOLVED] gpg error: Invalid crypto engine, pacman broken

In there the issue was a duplicate gpg binary in /usr/local/bin

No, wasn't - that's what tripped Scimmia. There was gpgsm and gpgconf, but no gpg.

In doubt

The broadsword is clunky but (almost) never fails

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Malvineous

Member

From: Brisbane, Australia

Registered: 2011-02-03

Posts: 193

Website

Re: [SOLVED] gpg error: Invalid crypto engine, pacman broken

Ah right, my mistake - well I checked /usr/local/bin and the only binaries in there are for my own code I intentionally installed there myself, which have been there for years, and don't conflict with any gpg binaries so that should be all good.

This pacman command reports the same on the working and broken machines, except for the install date being different, and gpgme saying "Validated by" as "SHA256 Sum" on the broken machine and "Signature" on the working one, but I imagine this is because I switched off signatures and reinstalled gpgme on the broken one as part of my unsuccessful troubleshooting.

$ pacman -Qikk pacman gnupg gpgme
Name            : pacman
Version         : 6.1.0-3
Description     : A library-based package manager with dependency support
Architecture    : x86_64
URL             : https://www.archlinux.org/pacman/
Licenses        : GPL-2.0-or-later
Groups          : None
Provides        : libalpm.so=14-64
Depends On      : bash  glibc  libarchive  curl  gpgme  pacman-mirrorlist  gettext  gawk  coreutils
                  gnupg  grep
Optional Deps   : perl-locale-gettext: translation support in makepkg-template
Required By     : arch-install-scripts  archlinux-keyring  base  base-devel  expac  pacman-contrib
                  pacutils  yay
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 4.78 MiB
Packager        : Morten Linderud <foxboron@archlinux.org>
Build Date      : 2024-03-16T03:46:11 AEST
Install Date    : 2024-08-11T19:27:33 AEST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

backup file: pacman: /etc/makepkg.conf (Modification time mismatch)
backup file: pacman: /etc/makepkg.conf (Size mismatch)
backup file: pacman: /etc/makepkg.conf (SHA256 checksum mismatch)
backup file: pacman: /etc/pacman.conf (Modification time mismatch)
backup file: pacman: /etc/pacman.conf (Size mismatch)
backup file: pacman: /etc/pacman.conf (SHA256 checksum mismatch)
pacman: 419 total files, 0 altered files
Name            : gnupg
Version         : 2.4.5-4
Description     : Complete and free implementation of the OpenPGP standard
Architecture    : x86_64
URL             : https://www.gnupg.org/
Licenses        : BSD-2-Clause  BSD-3-Clause  BSD-4-Clause  CC0-1.0  GPL-2.0-or-later  GPL-3.0-or-later
                  LGPL-2.1-or-later  LGPL-3.0-or-later OR GPL-2.0-or-later  MIT  Unicode-TOU
Groups          : None
Provides        : None
Depends On      : glibc  gnutls  libgcrypt  libgpg-error  libksba  libldap  libusb  pinentry  sh  sqlite
                  tpm2-tss  zlib  bzip2  libbz2.so=1.0-64  libassuan  libassuan.so=9-64  npth
                  libnpth.so=0-64  readline  libreadline.so=8-64
Optional Deps   : pcsclite: for using scdaemon not with the gnupg internal card driver [installed]
Required By     : gpgme  pacman
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 9.69 MiB
Packager        : David Runge <dvzrv@archlinux.org>
Build Date      : 2024-07-18T07:31:38 AEST
Install Date    : 2024-08-11T19:27:33 AEST
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

gnupg: 236 total files, 0 altered files
Name            : gpgme
Version         : 1.23.2-6
Description     : A C wrapper library for GnuPG
Architecture    : x86_64
URL             : https://www.gnupg.org/related_software/gpgme/
Licenses        : GPL-2.0-or-later  LGPL-2.0-or-later  LGPL-2.1-or-later  MIT
Groups          : None
Provides        : libgpgme.so=11-64  libgpgmepp.so=6-64
Depends On      : gcc-libs  glib2  glibc  libassuan  libgpg-error  gnupg>=2
Optional Deps   : None
Required By     : claws-mail  libjcat  libreoffice-fresh  pacman  poppler  samba  volume_key
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 1487.32 KiB
Packager        : David Runge <dvzrv@archlinux.org>
Build Date      : 2024-07-18T07:26:09 AEST
Install Date    : 2024-10-26T02:40:35 AEST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : SHA-256 Sum

gpgme: 185 total files, 0 altered files

This one also returns exactly the same output on the working and broken machine (I used diff on the output and it reported no differences).

$ lddtree /usr/bin/pacman
/usr/bin/pacman (interpreter => /lib64/ld-linux-x86-64.so.2)
    libalpm.so.14 => /usr/lib/libalpm.so.14
        libcrypto.so.3 => /usr/lib/libcrypto.so.3
        libcurl.so.4 => /usr/lib/libcurl.so.4
            libnghttp3.so.9 => /usr/lib/libnghttp3.so.9
            libnghttp2.so.14 => /usr/lib/libnghttp2.so.14
            libidn2.so.0 => /usr/lib/libidn2.so.0
                libunistring.so.5 => /usr/lib/libunistring.so.5
            libssh2.so.1 => /usr/lib/libssh2.so.1
            libpsl.so.5 => /usr/lib/libpsl.so.5
            libssl.so.3 => /usr/lib/libssl.so.3
            libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2
                libkrb5.so.3 => /usr/lib/libkrb5.so.3
                libk5crypto.so.3 => /usr/lib/libk5crypto.so.3
                libcom_err.so.2 => /usr/lib/libcom_err.so.2
                libkrb5support.so.0 => /usr/lib/libkrb5support.so.0
                libkeyutils.so.1 => /usr/lib/libkeyutils.so.1
                libresolv.so.2 => /usr/lib/libresolv.so.2
            libzstd.so.1 => /usr/lib/libzstd.so.1
            libbrotlidec.so.1 => /usr/lib/libbrotlidec.so.1
                libbrotlicommon.so.1 => /usr/lib/libbrotlicommon.so.1
            libz.so.1 => /usr/lib/libz.so.1
        libgpgme.so.11 => /usr/lib/libgpgme.so.11
            libassuan.so.9 => /usr/lib/libassuan.so.9
            libgpg-error.so.0 => /usr/lib/libgpg-error.so.0
    libarchive.so.13 => /usr/lib/libarchive.so.13
        libacl.so.1 => /usr/lib/libacl.so.1
        liblzma.so.5 => /usr/lib/liblzma.so.5
        liblz4.so.1 => /usr/lib/liblz4.so.1
        libbz2.so.1.0 => /usr/lib/libbz2.so.1.0
        libxml2.so.2 => /usr/lib/libxml2.so.2
            libicuuc.so.75 => /usr/lib/libicuuc.so.75
                libicudata.so.75 => /usr/lib/libicudata.so.75
                libstdc++.so.6 => /usr/lib/libstdc++.so.6
                libgcc_s.so.1 => /usr/lib/libgcc_s.so.1
            libm.so.6 => /usr/lib/libm.so.6
    libc.so.6 => /usr/lib/libc.so.6

Thanks for the suggestions!  Anything else I can look at?  I'm not sure what gpg commands pacman runs but I wonder if there's something there I could try out?  I find it odd that gpg is the thing reporting errors, yet pacman-keyring works without complaint and installing archlinux-keyring (with package signatures off) also works fine.  Is there a direct gpg command I can use to verify a package signature in the same way pacman does, to see if that sheds any light on what the issue might be?

seth

Member

Registered: 2012-09-03

Posts: 58,658

Re: [SOLVED] gpg error: Invalid crypto engine, pacman broken

"debug: gpg error: Invalid crypto engine" 99% (<= very buttcurate estimation) of the time means some incompatible gpg versions collide.
The packages look fine.
The collision doesn't have to be us /usr/local/bin, these got in the way in the other thread:

type -a gpgsm gpgconf

Ultimately

sudo -i # root shell, you cannot sudo strace
strace -f -tt -o /tmp/what.the.fuck pacman -S archlinux-keyring
chmod ugo+rw /tmp/what.the.fuck
exit # we're not curling as root
cat /tmp/what.the.fuck | curl -F 'file=@-' 0x0.st

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Malvineous

Member

From: Brisbane, Australia

Registered: 2011-02-03

Posts: 193

Website

Re: [SOLVED] gpg error: Invalid crypto engine, pacman broken

Well that helped me solve the problem!  I had tried strace before I posted but I forgot to use -f so I couldn't see any of the GPG commands.  That revealed how it was calling GPG, then I noticed it was passing in my terminal type.  The "screen" terminal type recently changed and broke the terminal formatting so to sanity check (in case more than formatting was broken) I opened up a direct terminal window without screen, and that worked - the signatures validated and I could install packages properly.

Further investigation revealed screen was NOT at fault, but after doing a diff of environment variables I discovered that the DISPLAY variable was set differently between a working and failing session.

As it turns out, something breaks if DISPLAY is set, but it's set to a blank.  You can reproduce the problem I was having by running a command like this:

DISPLAY= pacman -S archlinux-keyring

After removing the env var entirely with "unset DISPLAY" pacman now works fine again.

I imagine it's something to do with gpg figuring out where to prompt you for a password (even though in pacman's case gpg never needs to do this) and it fails when it gets a blank X11 display.  I tried setting it to an invalid but properly formatted value like ":1" and it just ignores it, it only seems to fail when it's set to a blank.

What a weird cause!  Well I'm glad that has resolved it, thank you both for your help!