FS#75574 - updates after a long time fail most of the time: invalid or corrupted package
Attached to Project:
Pacman
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
Last edited by Allan McRae (Allan) - Saturday, 02 September 2023, 23:01 GMT
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
Last edited by Allan McRae (Allan) - Saturday, 02 September 2023, 23:01 GMT
|
Details
= Summary and Info:
I have been using Arch for >10 years now and am quite lazy updating my system. If lucky I will do this once a month. Most of the time, during this time, keys with which packages are signed have changed. This leads to the following error when doing `pacman -Syu`: :: File XXXXX is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n] Which in any case (Y/n does not matter) aborts the update. = This is a widespread problem: This was brought up in many other bug reports already: e.g. Those were set do duplicate on each other or "Won't implement", so I am sorry for opening this again, no harm intended. Also there is a lot of discussion going on in forums: https://ostechnix.com/fix-invalid-corrupted-package-pgp-signature-error-arch-linux/ https://forum.archlinux.de/d/34365-vmaf-invalid-or-corrupted-package-pgp-signature/3 https://bbs.archlinux.org/viewtopic.php?id=233480 However, as I and many other arch users are annoyed with this, I wanted to start discussion on this again, to at least understand the reason behind it and if possible come to an official solution or documentation for this problem. = Existing workaround The best workaround proposed for this is to manually run `pacman -Sy archlinux-keyring` first and then running `pacman -Syu` = Possible permanent solutions I can think of are: - Ensure a system upgrade always updates `archlinux-keyring` first - Print an informational text on corrupted packages, that the user might want to update `archlinux-keyring` and try again - Ignore corrupted packages and at least continue updating what is possible - Update the documentation to let users know that `archlinux-keyring` needs to be updated first https://wiki.archlinux.org/title/Pacman#Upgrading_packages https://wiki.archlinux.org/title/System_maintenance#Upgrading_the_system - Remove or extend misleading information in the wiki about this error, which does not solve this particular problem: https://wiki.archlinux.org/title/Pacman#%22Failed_to_commit_transaction_(invalid_or_corrupted_package)%22_error = Steps to Reproduce: Wait a month or two, without updating the system, then run `pacman -Syu` |
This task depends upon
Closed by Allan McRae (Allan)
Saturday, 02 September 2023, 23:01 GMT
Reason for closing: Works for me
Saturday, 02 September 2023, 23:01 GMT
Reason for closing: Works for me
If I remember correctly, when issuing `pacman -Syu` in Manjaro, it takes care of keys first by running `pacman -S archlinux-keyring`.
Adding more reports of users who encountered this issue:
* https://stackoverflow.com/questions/23662434/pacman-syu-not-working-invalid-pgp-key
* https://unix.stackexchange.com/questions/574493/sudo-pacman-syu-fails-with-error-failed-to-commit-transaction-invalid-or-cor
* https://bbs.archlinux.org/viewtopic.php?id=244976
* https://www.reddit.com/r/archlinux/comments/jt28r2/pacman_corrupt_package/
* https://www.reddit.com/r/archlinux/comments/mmlgq9/invalid_pgp_signature_on_packages_during_update/
* https://old.reddit.com/r/archlinux/comments/wc5vda/pacman_syu_after_over_a_year_in_drawer/iic62ep/
* https://old.reddit.com/r/archlinux/comments/vbtawg/all_arch_mirror_downloads_are_safe/icdkcqd/
* https://old.reddit.com/r/archlinux/comments/xpzpz3/pgp_signature_issues_on_installer/
* https://old.reddit.com/r/archlinux/comments/xqmg3i/arch_linux_live_usb_installation_troubles_invalid/
Personally I'm using the following script to update my system:
sudo reflector --latest 5 --country Germany --sort rate --save /etc/pacman.d/mirrorlist
sudo pacman -Sy --needed archlinux-keyring
sudo pacman -Su
That works reliably for me, and does what I would expect of a system update to do. Would be kind of nice to have something equivalent out of the box without the need for wrapper scripts.
Reinitializing the local keyring with `pacman-key --init/--populate` after downloading the keyring packages manually and installing it from local disk also did *not* do the trick. The updates were still thought to be corrupt.
So I had to turn off package sign checks completely to update the system successfully – and enabled it afterward again.
I think this situation could be improved.