FS#71983 - Keyring is broken upon a fresh pacstrap against a synced mirror

Attached to Project: Arch Linux
Opened by Martin Rys (C0rn3j) - Wednesday, 01 September 2021, 13:34 GMT
Last edited by Toolybird (Toolybird) - Monday, 22 August 2022, 08:25 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Christian Hesse (eworm)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Packages fail to install on a new install due to bad keyring


Additional info:
* dos2unix 7.4.2-1, archlinux-keyring 20210820-1

Steps to reproduce:
* Boot 2021.08.01 ISO
* Run reflector sorting by rate
* Pacstrap new install, chroot into it
* pacman -Syu dos2unix
* Get error that Daurnimator's signature is unknown trust
* /usr/bin/pacman-key --populate archlinux
* pacman -Syu dos2unix
* All works

Workaround: /usr/bin/pacman-key --populate archlinux or -S archlinux-keyring
This task depends upon

Closed by  Toolybird (Toolybird)
Monday, 22 August 2022, 08:25 GMT
Reason for closing:  Fixed
Additional comments about closing:  See comments
Comment by Doug Newgard (Scimmia) - Wednesday, 01 September 2021, 13:57 GMT
2021.09.01 ISO is already up which would have this fixed. The is pretty much expected.
Comment by Martin Rys (C0rn3j) - Wednesday, 01 September 2021, 14:09 GMT
At the time the issue happened to me (which was earlier today), 2021.09.01 ISO was not yet released.

I re-tested with the new ISO and I can indeed install dos2unix with no issue - is the keyring copied from ISO to pacstrapped env somehow?

I don't understand how updating ISO has fixed the issue.
Comment by Doug Newgard (Scimmia) - Wednesday, 01 September 2021, 14:13 GMT
Yes, the keyring is copied from the live environment unless you use pacstrap's '-G' option.
Comment by Pierre Schmitz (Pierre) - Friday, 03 September 2021, 11:26 GMT
A fix would be to run "pacman -Sy archlinux-keyring" on the ISO live environment, right? Also, doesn't pacman fetch unknown keys via wkd?
Comment by Martin Rys (C0rn3j) - Friday, 03 September 2021, 12:07 GMT
What benefit is there in defaulting to importing keyring from host instead of archlinux-keyring on a pacstrap?

If it is 'pretty much expected' for packages to be broken on a clean install from time to time, wouldn't it be better to default to the provided keyring that pacstrap installs anyway, instead of the one from the host which is likely outdated?

I am not well-versed with keyrings, so apologies if my suggestion does not make sense.
Comment by Doug Newgard (Scimmia) - Friday, 03 September 2021, 12:18 GMT
It's done that way because the keyring is initialized (local master key created) when you boot the ISO. Might be better if pacstrap copied it before installing packages, though.
Comment by Doug Newgard (Scimmia) - Friday, 03 September 2021, 13:40 GMT
Looking at the script, it actually does copy the keyring before installing the packages, so the keyring should have been updated when archlinux-keyring was installed. You don't happen to have a log from when it failed, do you?
Comment by Doug Newgard (Scimmia) - Friday, 03 September 2021, 14:52 GMT
I see the problem now, pacman depends on archlinux-keyring which means it gets installed before pacman. It can't run pacman-key in the post_install script to update the keyring.
Comment by Toolybird (Toolybird) - Monday, 22 August 2022, 08:25 GMT
This should now be fixed as the deps for pacman and archlinux-keyring were recently swapped around [1][2]

[1] https://github.com/archlinux/svntogit-packages/commit/1ceaf784
[2] https://github.com/archlinux/svntogit-packages/commit/f7a67eb3

Loading...