Arch Linux

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 74,254

Re: invalid signatures every update [SOLVED]

Sanity check:

echo GETPIN | pinentry
printenv | grep -i gpg

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

thoth

Member

Registered: 2010-01-10

Posts: 112

Re: invalid signatures every update [SOLVED]

echo GETPIN | pinentry

Ok Pleased to meet you, process 544285
D deadbeef
OK
printenv | grep -i gpg

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 74,254

Re: invalid signatures every update [SOLVED]

Do you get a nifty GUI dialog for pintentry?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

thoth

Member

Registered: 2010-01-10

Posts: 112

Re: invalid signatures every update [SOLVED]

yes indeed

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 74,254

Re: invalid signatures every update [SOLVED]

Likewise dead end
Did you meantime manage to reset the keys?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Scimmia

Fellow

Registered: 2012-09-01

Posts: 13,694

Re: invalid signatures every update [SOLVED]

How about `type -a gpg`?

thoth

Member

Registered: 2010-01-10

Posts: 112

Re: invalid signatures every update [SOLVED]

@seth I cannot reset the keys by removing that directory,

+ mv /etc/pacman.d/gnupg /tmp/
+ systemctl restart gpg-agent@etc-pacman.d-gnupg.socket
+ pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: agent_genkey failed: No such file or directory
gpg: key generation failed: No such file or directory
gpg: Done
==> Updating trust database...
gpg: no need for a trustdb check

@Scimmia

root@saruman ~ # type -a gpg
gpg is /usr/bin/gpg

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 74,254

Re: invalid signatures every update [SOLVED]

type -a gpg-agent
for bin in $(pacman -Qlq gnupg gpgme | grep -E 'bin/.+'); do type $(basename $bin) | grep " $bin" > /dev/null || echo $bin; done

killall gpg-agent
mv /etc/pacman.d/gnupg /tmp/
pacman-key --init

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

thoth

Member

Registered: 2010-01-10

Posts: 112

Re: invalid signatures every update [SOLVED]

ok I finally got this cleaned out.  Killing the gpg-agent, seemed to do the trick. 

I'm still not sure what went wrong or why this machine is prone to developing this issue.

I ended up gathering all of the above into a `cleanring.sh`:

#!/usr/bin/env bash
main () {
  set -eux
  killall gpg-agent
  mv /etc/pacman.d/gnupg /tmp/
  pacman-key --init
  pacman-key --populate
  pacman-key --refresh-key
  systemctl restart gpg-agent@etc-pacman.d-gnupg.socket 
  pacman -Sy archlinux-keyring
  pacman -Su ncdu  
}
time main $@  

I'm sure some of the steps may be unnecessary/overkill but this finally works!

some interesting side bits:

type -a gpg-agent
gpg-agent is /usr/bin/gpg-agent

but what what was this supposed to show?

for bin in $(pacman -Qlq gnupg gpgme | grep -E 'bin/.+'); do type $(basename $bin) | grep " $bin" > /dev/null || echo $bin; done

it returns nothing?  if I get rid of the redirect to /dev/null and the OR:

for bin in $(pacman -Qlq gnupg gpgme | grep -E 'bin/.+'); do type $(basename $bin); done               
addgnupghome is /usr/bin/addgnupghome
applygnupgdefaults is /usr/bin/applygnupgdefaults
dirmngr is /usr/bin/dirmngr
dirmngr-client is /usr/bin/dirmngr-client
gpg is /usr/bin/gpg
gpg-agent is /usr/bin/gpg-agent
gpg-card is /usr/bin/gpg-card
gpg-connect-agent is /usr/bin/gpg-connect-agent
gpg-mail-tube is /usr/bin/gpg-mail-tube
gpg-wks-client is /usr/bin/gpg-wks-client
gpg-wks-server is /usr/bin/gpg-wks-server
gpg2 is /usr/bin/gpg2
gpgconf is /usr/bin/gpgconf
gpgparsemail is /usr/bin/gpgparsemail
gpgscm is /usr/bin/gpgscm
gpgsm is /usr/bin/gpgsm
gpgsplit is /usr/bin/gpgsplit
gpgtar is /usr/bin/gpgtar
gpgv is /usr/bin/gpgv
gpgv2 is /usr/bin/gpgv2
kbxutil is /usr/bin/kbxutil
watchgnupg is /usr/bin/watchgnupg
gpgme-json is /usr/bin/gpgme-json
gpgme-tool is /usr/bin/gpgme-tool

Last edited by thoth (2025-06-10 14:52:11)

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 74,254

Re: invalid signatures every update [SOLVED]

but what what was this supposed to show?

be careful w/ typing commands into interactive shells unless you understand them.
It lists all files in gnupg and gpgme, filters for those in *bin/*, checks what is actually resolved for them on the system and prints every deviation.
You'd indeed ideally see nothing - every ouput would have indicated a problem.

https://wiki.archlinux.org/title/GnuPG#gpg-agent

gpgconf --list-dirs

Do you lose access to a socket?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

thoth

Member

Registered: 2010-01-10

Posts: 112

Re: invalid signatures every update [SOLVED]

be careful w/ typing commands into interactive shells unless you understand them.

Ya that's why I decomposed it a bit to see what output was being piped to that OR.

Do you lose access to a socket?

I don't think so?  But maybe...

seth

Member

From: Don't DM me only for attention

Registered: 2012-09-03

Posts: 74,254

Re: invalid signatures every update [SOLVED]

But maybe...

Dump the gpgconf -list-dirs while it's working, check it again when it doesn't, then stat the relevant files to see whether you lack one - or permissions on it

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc