Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#69222 - [confuse] invalid or corrupted package - marginal trust

Attached to Project: Community Packages
Opened by Patryk Hes (hesonator) - Tuesday, 05 January 2021, 15:54 GMT
Last edited by Morten Linderud (Foxboron) - Tuesday, 05 January 2021, 19:49 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

When trying to install `confuse` package (an indirect dependency of `mplayer`), the signature of one of the trusted users is "marginal trust":

```
$ pacman -S --asdeps confuse

(...)

Packages (1) confuse-3.3-2

(...)

error: confuse: signature from "Baptiste Jonglez" <baptiste@bitsofnetworks.org> is marginal trust
:: File /var/cache/pacman/pkg/confuse-3.3-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
```

Before that, to ensure I have an up-to-date list of keys, I executed:

```
$ sudo pacman -Sy archlinux-keyring
$ sudo pacman-key --populate archlinux
$ sudo pacman-key --refresh-keys
```

Still, the keys are annotated as "marginal trust":

```
$ pacman-key -l | grep bitsofnetworks
uid [marginal] Baptiste Jonglez <baptiste@bitsofnetworks.org>
```
This task depends upon

Closed by  Morten Linderud (Foxboron)
Tuesday, 05 January 2021, 19:49 GMT
Reason for closing:  Fixed
Additional comments about closing:  Resigned all packages
Comment by Morten Linderud (Foxboron) - Tuesday, 05 January 2021, 16:16 GMT
Right, I got the issue now.

You fetched a revoked signature and the packages hasn't been rebuilt.


babeld Baptiste Jonglez <archlinux@bitsofnetworks.org>
confuse Baptiste Jonglez <archlinux@bitsofnetworks.org>
fastd Baptiste Jonglez <archlinux@bitsofnetworks.org>
fig2dev Baptiste Jonglez <archlinux@bitsofnetworks.org>
lesspipe Baptiste Jonglez <archlinux@bitsofnetworks.org>
msgpack-c Baptiste Jonglez <archlinux@bitsofnetworks.org>
yodl Baptiste Jonglez <archlinux@bitsofnetworks.org>


Rebuilding these packages tonight.
Comment by Eli Schwartz (eschwartz) - Tuesday, 05 January 2021, 16:32 GMT
  • Field changed: Attached to Project (Arch Linux → Community Packages)
  • Field changed: Summary (invalid or corrupted package - marginal trust → [confuse] invalid or corrupted package - marginal trust)
Including actual metadata in the title and assigning to the right bugtracker...

(For future notice, the package details page has a link to create a new bug report with this stuff pre-filled.)
Comment by Morten Linderud (Foxboron) - Tuesday, 05 January 2021, 19:49 GMT
Konstantin rebuilt all the packages so this shouldn't be an issue going forward :)

Loading...