You are not logged in.

#1 2022-01-02 23:27:02

barius
Member
From: Europe
Registered: 2018-02-11
Posts: 2

Multiple packages fail due to expired signing key

error: hwloc: signature from "Erich Eckner (just to sign arch packages) <arch-packages@eckner.net>" is unknown trust
:: File /var/cache/pacman/pkg/hwloc-2.7.0-1.0-pentium4.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
error: qt5-translations: signature from "Erich Eckner (just to sign arch packages) <arch-packages@eckner.net>" is unknown trust
:: File /var/cache/pacman/pkg/qt5-translations-5.15.2+kde+r20-2.0-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

One of the first things I tried to resolve the issue was to reinstall archlinux-keyring and archlinux32-keyring... but no luck - archlinux-keyring is signed with the same key :-(

Here seems to be the problem:

$ gpg --homedir /etc/pacman.d/gnupg -k 'Erich Eckner'
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg'
gpg: Note: trustdb not writable
pub   rsa4096 2018-04-09 [SC] [expired: 2021-12-31]
      5FDCA472AB93292BC678FD59255A76DB9A12601A
uid           [ expired] Erich Eckner (just to sign arch packages) <arch-packages@eckner.net>
uid           [ expired] Erich Eckner (just to sign arch packages) <arch@eckner.net>

pub   rsa2048 2017-05-27 [SC] [expired: 2021-12-31]
      194E37A47A4C671807BACB37B1117BC1094EA6E9
uid           [ expired] Erich Eckner <deep42thought@archlinux32.org>

Segui il tuo corso, e lascia dir le genti. - Dante, La Divina Commedia
(Follow your own path and let people say what they will.)

Offline

#2 2022-01-03 09:36:44

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 810
Website

Re: Multiple packages fail due to expired signing key

Sorry about that, several keys have expired.

You can try:

faketime 2021-12-31 pacman -S archlinux32-keyring

but this requires that you have libfaketime installed (hen and egg problem).

You can also set 'SigLevel = Never' in /etc/pacman.conf, update the archlinux32-keyring and then reenable
the verification.

You might also need to run as root 'pacman-key --refresh'.

Offline

#3 2022-01-03 17:05:40

nithale
Member
Registered: 2021-07-09
Posts: 1

Re: Multiple packages fail due to expired signing key

The new version of archlinux32-keyring is not in the core repo but some packages that require the new keys are. One solution is enabling testing repo in pacman.conf where the new version of archlinux32-keyring is available

Last edited by nithale (2022-01-03 17:07:27)

Offline

#4 2022-01-03 17:15:48

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 810
Website

Re: Multiple packages fail due to expired signing key

Ah, sorry, I can push archlinux32-keyring to stable..

Offline

#5 2022-01-10 01:04:21

alysher
Member
Registered: 2022-01-10
Posts: 3

Re: Multiple packages fail due to expired signing key

what would we need to do if we dont have libfaketime installed?

Offline

#6 2022-01-10 02:51:41

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,179

Re: Multiple packages fail due to expired signing key

Abumann already saiud above:

abaumann wrote:

You can also set 'SigLevel = Never' in /etc/pacman.conf, update the archlinux32-keyring and then reenable
the verification.

You might also need to run as root 'pacman-key --refresh'.

Last edited by levi (2022-01-10 02:52:16)


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

#7 2022-01-10 03:08:59

alysher
Member
Registered: 2022-01-10
Posts: 3

Re: Multiple packages fail due to expired signing key

Thanks for pointing that out, completely didn't understand it in context, out i do. <3

Offline

#8 2022-01-21 20:31:14

alf9009
Member
Registered: 2020-02-29
Posts: 20

Re: Multiple packages fail due to expired signing key

sudo pacman -Sy archlinux32-keyring

and afterwards the normal full upgrade solved it for me.

Offline

#9 2022-01-21 21:02:11

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,179

Re: Multiple packages fail due to expired signing key

Yes, it seems the package currently in core will validate with old keys but has the new keys in it as well.  Good news, everyone!


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

#10 2022-01-22 20:13:32

stripwax
Member
Registered: 2022-01-22
Posts: 7

Re: Multiple packages fail due to expired signing key

I had a number of difficulties here, and resorted to the usual troubleshooting (https://wiki.archlinux.org/title/Pacman/Package_signing etc) but hit the problem that I couldn't install any packages due to keys, and couldn't install the keys package. I didn't want to disable checking.
But this worked : 

sudo pacman-key --populate archlinux32

I don't think I've ever seen this recommended anywhere (only ever "archlinux" not "archlinux32" there, followed by the  other archlinux32-keyring steps that failed for me)

Is that expected to succeed? A valid fix or, even, a good recommendation? If not, could I have inadvertently compromised my system with something foolish?


(I also hit the weirdest problem which is that attempting to perform the --refresh-keys fixes failed due to dirmngr problems, and it seemed *for me* that dirmngr was missing a required libldap-2.4.so.2 ... I have no idea how I got into that mess, but temporarily symlinking to /lib/libldap.so got it working well enough to proceed, and at the end I deleted the symlink and reinstalled gnupg to be on the safe side)

Last edited by stripwax (2022-01-22 20:15:24)

Offline

#11 2022-01-22 20:21:23

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 810
Website

Re: Multiple packages fail due to expired signing key

IIRC upstream had a nice wiki entry on the topic "what to do when my keys run away": https://wiki.archlinux.org/title/Pacman/Package_signing

Just that here it affects the keyring-archlinux32 package.

So the following procedure should actually have worked:

sudo pacman -Sy archlinux-keyring32
sudo pacman-key --populate archlinux32

Offline

#12 2022-01-22 21:07:04

stripwax
Member
Registered: 2022-01-22
Posts: 7

Re: Multiple packages fail due to expired signing key

Yep, I was inspired by the upstream article and took a gamble on specifying archlinux32
Could/should this be documented somewhere in the archlinux32 docs (assuming it is the correct fix)?

Offline

#13 2022-01-22 21:31:44

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 810
Website

Re: Multiple packages fail due to expired signing key

There are no Archlinux32 docs, usually everything is just the same as upstream, so the Wiki applies also for Archlinux32.

Maybe in https://www.archlinux32.org/download/ a new section (similar to the keyring transitions)?

Offline

#14 2022-01-22 21:54:36

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 1,179

Re: Multiple packages fail due to expired signing key

stripwax wrote:

If not, could I have inadvertently compromised my system with something foolish?

It doesn't sound to me like you've done anything that could compromise your system; you didn't even relax your pacman config so I can't see a way in that wasn't there before.  I can't guarantee at this time that everything is working however, a number of packages seem to have been built in the wrong order. which could explain your need to link against an old version of libldap.


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

Board footer

Powered by FluxBB