FS#46107 - Pacman should detect invalid files before replacing the original

Attached to Project: Pacman
Opened by Roel Brook (Rainmaker52) - Tuesday, 25 August 2015, 21:15 GMT
Last edited by Eli Schwartz (eschwartz) - Tuesday, 29 May 2018, 06:19 GMT
Task Type Bug Report
Category Backend/Core
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version 4.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 5
Private No


When connected to a Wifi network which uses a login portal (such as hotels or guest wifi networks), the pacman database gets overwritten with the login page for this portal. On subsequent syncs, it will complain about missing GPG errors.

Steps to reproduce:
- Boot
- Connect to a wifi network with a portal page
- In the background, update-manager will update the pacman repository
- /var/lib/pacman/sync/core.db content is now:
<HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="no-cache"><META http-equiv="Expires" content="-1"><META http-equiv="refresh" content="1; URL=https://some.corp.le:8443/guestportal/gateway?sessionId=ac1901050002498b55dc14c6&action=cwa"></HEAD></HTML>
- A pacman -Suy gives:
error: GPGME error: No data
error: GPGME error: No data
:: Synchronizing package databases...
core is up to date
extra is up to date
community 2.7 MiB 6.64M/s 00:00 [######################] 100%
multilib is up to date
error: database 'core' is not valid (invalid or corrupted database (PGP signature))
error: database 'multilib' is not valid (invalid or corrupted database (PGP signature))

Expected results:
It should be detected that the file is invalid BEFORE the .db is overwritten.

This may be either a bug in update-manager, or in pacman itself. I am unsure on whether update-manager /calls/ pacman -Suy, or that it downloads the .db files itself and replaces them.

A quick fix is rm /var/lib/pacman/sync/*.db

Additional info:
* package version(s)
pacman 4.2.1-2

This task depends upon

Comment by Jens Adam (byte) - Friday, 28 August 2015, 12:30 GMT
I agree with "It should be detected that the file is invalid BEFORE the .db is overwritten", but an HTTPS mirror would have prevented this: https://www.archlinux.org/mirrorlist/all/https/ ... just saying.
Comment by Tim Ruffing (realorrandom) - Sunday, 10 January 2016, 16:25 GMT
Just had the same issue, this behaviour is indeed wrong.

The proper way to force a refresh of the package db is "pacman -Syy" by the way.