Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".

* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.

FS#71274 - [pacman] saves DB signature file to wrong filename when redirected to different filename

Attached to Project: Pacman
Opened by Christoph Reiter (lazka) - Wednesday, 16 June 2021, 20:37 GMT
Last edited by Allan McRae (Allan) - Thursday, 01 July 2021, 00:59 GMT
Task Type Bug Report
Category General
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 6.0.0
Due in Version 6.0.1
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


This worked with pacman 5, but fails with pacman 6

* Use the following DB in /etc/pacman.conf:

Server =

* Run `pacman -Syy`

Expected: It works

Actual: error: mingw64: missing required signature
error: failed to synchronize all databases (invalid or corrupted database (PGP signature))


The problem is that the mirror is a instance
which (1) redirects all URLs to a mirror and (2) de-refs symlinks before doing
so. This means there will be redirects with a different filename for each DB
related file.

The first request gives:

$ curl -I
HTTP/2 302
cache-control: private, no-cache
content-type: text/html; charset=utf-8
date: Wed, 16 Jun 2021 20:21:05 GMT
link: <>; rel=duplicate; pri=1; geo=de
server: Mirrorbits/v0.5.1-31-geeea0e0-dirty

This results in pacman doing the following:

debug: mingw64.db: url is
debug: mingw64.db: maxsize 134217728
debug: mingw64.db: opened tempfile for download: /var/lib/pacman/sync/mingw64.db.part (wb)
debug: mingw64.db: curl returned result 0 from transfer
debug: mingw64.db: response code 200

Then it tries to fetch the signature file:

debug: mingw64.db.tar.gz.sig: url is
debug: mingw64.db.tar.gz.sig: maxsize 16384
debug: mingw64.db.tar.gz.sig: opened tempfile for download: /var/lib/pacman/sync/mingw64.db.tar.gz.sig.part (wb)
debug: mingw64.db.tar.gz.sig: curl returned result 0 from transfer
debug: mingw64.db.tar.gz.sig: response code 200

Then it fails to find the signature file on disk and fails:

debug: "/var/lib/pacman/sync/mingw64.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/mingw64.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 593) : missing PGP signature
debug: missing required signature
error: mingw64: missing required signature
debug: failed to validate db: mingw64

The filesystem contains a /var/lib/pacman/sync/mingw64.db.tar.gz.sig though

I know that this is a bit of a weird edge case, so if this is out of scope I
understand. I'll try to teach(hack) mirrorbits to not de-reference symlinks
This task depends upon

Closed by  Allan McRae (Allan)
Thursday, 01 July 2021, 00:59 GMT
Reason for closing:  Fixed
Additional comments about closing:  git commit 0147de169a2abd193699957d4e76aec522901fd2
Comment by Christoph Reiter (lazka) - Wednesday, 16 June 2021, 23:40 GMT
I'll try to fix mirrorbits (my server) to not leak symlink de-reffing. Maybe this becomes all moot then.
Comment by morganamilo (morganamilo) - Thursday, 17 June 2021, 01:01 GMT
It's a bug in alpm either way. Glad your server exposed it in time for a .1 release.
Comment by Christoph Reiter (lazka) - Thursday, 17 June 2021, 08:34 GMT
Ah, the server URL was wrong, it's "" (I can't find a way to edit the post)
Comment by Christoph Reiter (lazka) - Friday, 18 June 2021, 10:08 GMT