FS#75574 - updates after a long time fail most of the time: invalid or corrupted package

Attached to Project: Pacman
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
Last edited by Allan McRae (Allan) - Saturday, 02 September 2023, 23:01 GMT
Task Type Bug Report
Category General
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 6.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

= Summary and Info:
I have been using Arch for >10 years now and am quite lazy updating my system. If lucky I will do this once a month.
Most of the time, during this time, keys with which packages are signed have changed.

This leads to the following error when doing `pacman -Syu`:
:: File XXXXX is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
Which in any case (Y/n does not matter) aborts the update.

= This is a widespread problem:
This was brought up in many other bug reports already: e.g.  FS#47892 ,  FS#52864 ,  FS#47934 , etc.
Those were set do duplicate on each other or "Won't implement", so I am sorry for opening this again, no harm intended.

Also there is a lot of discussion going on in forums:
https://ostechnix.com/fix-invalid-corrupted-package-pgp-signature-error-arch-linux/
https://forum.archlinux.de/d/34365-vmaf-invalid-or-corrupted-package-pgp-signature/3
https://bbs.archlinux.org/viewtopic.php?id=233480

However, as I and many other arch users are annoyed with this, I wanted to start discussion on this again, to at least understand the reason behind it and if possible come to an official solution or documentation for this problem.

= Existing workaround
The best workaround proposed for this is to manually run `pacman -Sy archlinux-keyring` first and then running `pacman -Syu`

= Possible permanent solutions I can think of are:
- Ensure a system upgrade always updates `archlinux-keyring` first
- Print an informational text on corrupted packages, that the user might want to update `archlinux-keyring` and try again
- Ignore corrupted packages and at least continue updating what is possible
- Update the documentation to let users know that `archlinux-keyring` needs to be updated first
https://wiki.archlinux.org/title/Pacman#Upgrading_packages
https://wiki.archlinux.org/title/System_maintenance#Upgrading_the_system
- Remove or extend misleading information in the wiki about this error, which does not solve this particular problem:
https://wiki.archlinux.org/title/Pacman#%22Failed_to_commit_transaction_(invalid_or_corrupted_package)%22_error



= Steps to Reproduce:
Wait a month or two, without updating the system, then run `pacman -Syu`
This task depends upon

Closed by  Allan McRae (Allan)
Saturday, 02 September 2023, 23:01 GMT
Reason for closing:  Works for me
Comment by Matthias Braun (mb720) - Thursday, 29 September 2022, 20:41 GMT Comment by Zeno Endemann (zse) - Sunday, 13 November 2022, 12:40 GMT
+1, seems like a silly behavior to me as well.

Personally I'm using the following script to update my system:
sudo reflector --latest 5 --country Germany --sort rate --save /etc/pacman.d/mirrorlist
sudo pacman -Sy --needed archlinux-keyring
sudo pacman -Su

That works reliably for me, and does what I would expect of a system update to do. Would be kind of nice to have something equivalent out of the box without the need for wrapper scripts.
Comment by Ruben Kelevra (RubenKelevra) - Saturday, 14 January 2023, 18:30 GMT
It would be great if this could be handled more gracefully. Last time I had to resurrect a system after a year it was quite a pain to get the system update going. It wouldn't even accept installing the keyring packages. IIRC adding the keys to the the local keyring failed, because the keyring package was signed with too little trust because the local keyrings were out of date.

Reinitializing the local keyring with `pacman-key --init/--populate` after downloading the keyring packages manually and installing it from local disk also did *not* do the trick. The updates were still thought to be corrupt.

So I had to turn off package sign checks completely to update the system successfully – and enabled it afterward again.

I think this situation could be improved.
Comment by Allan McRae (Allan) - Saturday, 02 September 2023, 23:01 GMT
Closing as not a pacman issue. Arch should be much improved with the archlinux-keyring-wkd-sync service, and as a distro needs to move away from the fragility associated with individual packagers signing packages.

Loading...