Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".

* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.

FS#75574 - updates after a long time fail most of the time: invalid or corrupted package

Attached to Project: Pacman
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
Task Type Bug Report
Category General
Status Unconfirmed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 6.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 3
Private No


= Summary and Info:
I have been using Arch for >10 years now and am quite lazy updating my system. If lucky I will do this once a month.
Most of the time, during this time, keys with which packages are signed have changed.

This leads to the following error when doing `pacman -Syu`:
:: File XXXXX is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
Which in any case (Y/n does not matter) aborts the update.

= This is a widespread problem:
This was brought up in many other bug reports already: e.g.  FS#47892 ,  FS#52864 ,  FS#47934 , etc.
Those were set do duplicate on each other or "Won't implement", so I am sorry for opening this again, no harm intended.

Also there is a lot of discussion going on in forums:

However, as I and many other arch users are annoyed with this, I wanted to start discussion on this again, to at least understand the reason behind it and if possible come to an official solution or documentation for this problem.

= Existing workaround
The best workaround proposed for this is to manually run `pacman -Sy archlinux-keyring` first and then running `pacman -Syu`

= Possible permanent solutions I can think of are:
- Ensure a system upgrade always updates `archlinux-keyring` first
- Print an informational text on corrupted packages, that the user might want to update `archlinux-keyring` and try again
- Ignore corrupted packages and at least continue updating what is possible
- Update the documentation to let users know that `archlinux-keyring` needs to be updated first
- Remove or extend misleading information in the wiki about this error, which does not solve this particular problem:

= Steps to Reproduce:
Wait a month or two, without updating the system, then run `pacman -Syu`
This task depends upon

Comment by Matthias Braun (mb720) - Thursday, 29 September 2022, 20:41 GMT
I agree, this reliably occurs when updating a machine that hasn't been updated in a while.

If I remember correctly, when issuing `pacman -Syu` in Manjaro, it takes care of keys first by running `pacman -S archlinux-keyring`.

Adding more reports of users who encountered this issue: