Pacman

Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".

* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.
Tasklist

FS#75574 - updates after a long time fail most of the time: invalid or corrupted package

Attached to Project: Pacman
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
Task Type Bug Report
Category General
Status Unconfirmed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 6.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 3
Private No

Details

= Summary and Info:
I have been using Arch for >10 years now and am quite lazy updating my system. If lucky I will do this once a month.
Most of the time, during this time, keys with which packages are signed have changed.

This leads to the following error when doing `pacman -Syu`:
:: File XXXXX is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
Which in any case (Y/n does not matter) aborts the update.

= This is a widespread problem:
This was brought up in many other bug reports already: e.g.  FS#47892 ,  FS#52864 ,  FS#47934 , etc.
Those were set do duplicate on each other or "Won't implement", so I am sorry for opening this again, no harm intended.

Also there is a lot of discussion going on in forums:
https://ostechnix.com/fix-invalid-corrupted-package-pgp-signature-error-arch-linux/
https://forum.archlinux.de/d/34365-vmaf-invalid-or-corrupted-package-pgp-signature/3
https://bbs.archlinux.org/viewtopic.php?id=233480

However, as I and many other arch users are annoyed with this, I wanted to start discussion on this again, to at least understand the reason behind it and if possible come to an official solution or documentation for this problem.

= Existing workaround
The best workaround proposed for this is to manually run `pacman -Sy archlinux-keyring` first and then running `pacman -Syu`

= Possible permanent solutions I can think of are:
- Ensure a system upgrade always updates `archlinux-keyring` first
- Print an informational text on corrupted packages, that the user might want to update `archlinux-keyring` and try again
- Ignore corrupted packages and at least continue updating what is possible
- Update the documentation to let users know that `archlinux-keyring` needs to be updated first
https://wiki.archlinux.org/title/Pacman#Upgrading_packages
https://wiki.archlinux.org/title/System_maintenance#Upgrading_the_system
- Remove or extend misleading information in the wiki about this error, which does not solve this particular problem:
https://wiki.archlinux.org/title/Pacman#%22Failed_to_commit_transaction_(invalid_or_corrupted_package)%22_error



= Steps to Reproduce:
Wait a month or two, without updating the system, then run `pacman -Syu`
This task depends upon

Comment by Matthias Braun (mb720) - Thursday, 29 September 2022, 20:41 GMT
I agree, this reliably occurs when updating a machine that hasn't been updated in a while.

If I remember correctly, when issuing `pacman -Syu` in Manjaro, it takes care of keys first by running `pacman -S archlinux-keyring`.

Adding more reports of users who encountered this issue:

* https://stackoverflow.com/questions/23662434/pacman-syu-not-working-invalid-pgp-key
* https://unix.stackexchange.com/questions/574493/sudo-pacman-syu-fails-with-error-failed-to-commit-transaction-invalid-or-cor
* https://bbs.archlinux.org/viewtopic.php?id=244976
* https://www.reddit.com/r/archlinux/comments/jt28r2/pacman_corrupt_package/
* https://www.reddit.com/r/archlinux/comments/mmlgq9/invalid_pgp_signature_on_packages_during_update/

Loading...