Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#75574 - updates after a long time fail most of the time: invalid or corrupted package
Attached to Project:
Pacman
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
Opened by Rainer Schoenberger (rainerschoe) - Wednesday, 10 August 2022, 16:00 GMT
|
Details= Summary and Info:
I have been using Arch for >10 years now and am quite lazy updating my system. If lucky I will do this once a month. Most of the time, during this time, keys with which packages are signed have changed. This leads to the following error when doing `pacman -Syu`: :: File XXXXX is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n] Which in any case (Y/n does not matter) aborts the update. = This is a widespread problem: This was brought up in many other bug reports already: e.g. Those were set do duplicate on each other or "Won't implement", so I am sorry for opening this again, no harm intended. Also there is a lot of discussion going on in forums: https://ostechnix.com/fix-invalid-corrupted-package-pgp-signature-error-arch-linux/ https://forum.archlinux.de/d/34365-vmaf-invalid-or-corrupted-package-pgp-signature/3 https://bbs.archlinux.org/viewtopic.php?id=233480 However, as I and many other arch users are annoyed with this, I wanted to start discussion on this again, to at least understand the reason behind it and if possible come to an official solution or documentation for this problem. = Existing workaround The best workaround proposed for this is to manually run `pacman -Sy archlinux-keyring` first and then running `pacman -Syu` = Possible permanent solutions I can think of are: - Ensure a system upgrade always updates `archlinux-keyring` first - Print an informational text on corrupted packages, that the user might want to update `archlinux-keyring` and try again - Ignore corrupted packages and at least continue updating what is possible - Update the documentation to let users know that `archlinux-keyring` needs to be updated first https://wiki.archlinux.org/title/Pacman#Upgrading_packages https://wiki.archlinux.org/title/System_maintenance#Upgrading_the_system - Remove or extend misleading information in the wiki about this error, which does not solve this particular problem: https://wiki.archlinux.org/title/Pacman#%22Failed_to_commit_transaction_(invalid_or_corrupted_package)%22_error = Steps to Reproduce: Wait a month or two, without updating the system, then run `pacman -Syu` |
This task depends upon
If I remember correctly, when issuing `pacman -Syu` in Manjaro, it takes care of keys first by running `pacman -S archlinux-keyring`.
Adding more reports of users who encountered this issue:
* https://stackoverflow.com/questions/23662434/pacman-syu-not-working-invalid-pgp-key
* https://unix.stackexchange.com/questions/574493/sudo-pacman-syu-fails-with-error-failed-to-commit-transaction-invalid-or-cor
* https://bbs.archlinux.org/viewtopic.php?id=244976
* https://www.reddit.com/r/archlinux/comments/jt28r2/pacman_corrupt_package/
* https://www.reddit.com/r/archlinux/comments/mmlgq9/invalid_pgp_signature_on_packages_during_update/
* https://old.reddit.com/r/archlinux/comments/wc5vda/pacman_syu_after_over_a_year_in_drawer/iic62ep/
* https://old.reddit.com/r/archlinux/comments/vbtawg/all_arch_mirror_downloads_are_safe/icdkcqd/
* https://old.reddit.com/r/archlinux/comments/xpzpz3/pgp_signature_issues_on_installer/
* https://old.reddit.com/r/archlinux/comments/xqmg3i/arch_linux_live_usb_installation_troubles_invalid/
Personally I'm using the following script to update my system:
sudo reflector --latest 5 --country Germany --sort rate --save /etc/pacman.d/mirrorlist
sudo pacman -Sy --needed archlinux-keyring
sudo pacman -Su
That works reliably for me, and does what I would expect of a system update to do. Would be kind of nice to have something equivalent out of the box without the need for wrapper scripts.
Reinitializing the local keyring with `pacman-key --init/--populate` after downloading the keyring packages manually and installing it from local disk also did *not* do the trick. The updates were still thought to be corrupt.
So I had to turn off package sign checks completely to update the system successfully – and enabled it afterward again.
I think this situation could be improved.