Most likely since upgrading gnupg from 2.2.41-2 to 2.4.3 almost every package doesn't pass integrity check with the following error:
[code]
root@linux:/ -# pacman -S z3
resolving dependencies...
looking for conflicting packages...
Packages (1) z3-4.12.4-1
Total Installed Size: 50.06 MiB
Net Upgrade Size: 0.80 MiB
:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [######################################################] 100%
(1/1) checking package integrity [######################################################] 100%
error: z3: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is marginal trust
:: File /var/cache/pacman/pkg/z3-4.12.4-1-aarch64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.
[/code]
Meaning not just this one but all of them. I can manually download packages from the ALARM mirror and install them with [code]pacman -U[/code] but otherwise I just get the above error. I tried many things in regards to this as root:
[code]
rm -rf /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate
# As mentioned installing archlinux-keyring manually via pacman -U but that didn't help
# Also pacman -Scc before
[/code]
I also tried building the former gnupg version but couldn't because I have no idea what the dependencies are needed from it, the gitlab for reference:make_clickable_callback(MAGIC_URL_FULL, ' ', 'https://gitlab.archlinux.org/archlinux/packaging/packages/gnupg', '', ' class="postlink"')
Can someone help?
Package integrity check failing
5 posts
• Page 1 of 1
Package integrity check failing
by hnhman » Thu Dec 28, 2023 9:17 pm
- hnhman
- Posts: 3
- Joined: Thu Dec 28, 2023 9:10 pm
Re: Package integrity check failing
by vindicator » Fri Jan 12, 2024 3:10 am
I don't know if this is just coincidental timing, but I'm experiencing this as well, though I've also been away from arch arm for years so I don't know if it's new or not.
But along with this and seeing the issues with the site makes me nervous that this side of arch is getting cobwebs.
But along with this and seeing the issues with the site makes me nervous that this side of arch is getting cobwebs.
- vindicator
- Posts: 14
- Joined: Sat Jan 21, 2017 5:31 am
Re: Package integrity check failing
by vindicator » Sat Jan 13, 2024 6:42 pm
I don't know if you're using containers, but something nagged at me when going through the process...
I had been getting "gpg: Warning: using insecure memory!" when I was using systemd-nspawn.
I just came acrossmake_clickable_callback(MAGIC_URL_FULL, ' ', 'https://github.com/systemd/systemd/issues/9414,', '', ' class="postlink"') and when adding "--system-call-filter=@memlock", and removing the pacman.d/gnupg dir and running the "--init/populate" processes again, the warning disappeared, and I was able to pacman -S archlinux-keyring with no issues this time.
EDIT0: Hmm, not true when not working on the aarch64 root itself? That's what I did before with my last test. But my current test is to systemd-nspawn into my host (x86_64) root, then run pacman-key and pacman on "--root" while also using "--gpgdir".
The intent is to, from the host, create a fresh root solely using pacman, but for a different arch than the host.
[code]
...
loading packages...
debug: GPGME version: 1.23.2
debug: GPGME engine info: file=/usr/bin/gpg, home=/run/mount/newRoot/etc/pacman.d/gnupg/
debug: looking up key 77193F152BDBE6A6 locally
debug: key lookup success, key exists
debug: sig data: <from .sig>
debug: checking signature for /var/cache/pacman/pkg/archlinuxarm-keyring-20140119-2-any.pkg.tar.xz
debug: 1 signatures returned
debug: fingerprint: 68B3537F39A313B3E574D06777193F152BDBE6A6
debug: summary: (empty)
debug: status: Success
debug: timestamp: 1658926747
debug: exp_timestamp: 0
debug: validity: unknown; reason: Success
debug: key: 68B3537F39A313B3E574D06777193F152BDBE6A6, Arch Linux ARM Build System <builder@archlinuxarm.org>, owner_trust unknown, disabled 0
debug: signature is valid
debug: signature is unknown trust
error: '/var/cache/pacman/pkg/archlinuxarm-keyring-20140119-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
debug: unregistering database 'local'
...
[/code]
[code]
# pacman-key --gpgdir "${NEWROOT}"/etc/pacman.d/gnupg --list-keys
pub rsa4096 2024-01-13 [SC]
<theGeneratedOne]
uid [ultimate] Pacman Keyring Master Key <pacman@localhost>
pub rsa4096 2014-01-18 [SC]
68B3537F39A313B3E574D06777193F152BDBE6A6
uid [ unknown] Arch Linux ARM Build System <builder@archlinuxarm.org>
sub rsa4096 2014-01-18 [E]
[/code]
EDIT1: Looks related tomake_clickable_callback(MAGIC_URL_LOCAL, ' ', 'https://archlinuxarm.org/forum', 'viewtopic.php?f=15&t=16701', ' class="postlink-local"') since I now have "68B3537F39A313B3E574D06777193F152BDBE6A6" marginally trusted.
I had been getting "gpg: Warning: using insecure memory!" when I was using systemd-nspawn.
I just came acrossmake_clickable_callback(MAGIC_URL_FULL, ' ', 'https://github.com/systemd/systemd/issues/9414,', '', ' class="postlink"') and when adding "--system-call-filter=@memlock", and removing the pacman.d/gnupg dir and running the "--init/populate" processes again, the warning disappeared, and I was able to pacman -S archlinux-keyring with no issues this time.
EDIT0: Hmm, not true when not working on the aarch64 root itself? That's what I did before with my last test. But my current test is to systemd-nspawn into my host (x86_64) root, then run pacman-key and pacman on "--root" while also using "--gpgdir".
The intent is to, from the host, create a fresh root solely using pacman, but for a different arch than the host.
[code]
...
loading packages...
debug: GPGME version: 1.23.2
debug: GPGME engine info: file=/usr/bin/gpg, home=/run/mount/newRoot/etc/pacman.d/gnupg/
debug: looking up key 77193F152BDBE6A6 locally
debug: key lookup success, key exists
debug: sig data: <from .sig>
debug: checking signature for /var/cache/pacman/pkg/archlinuxarm-keyring-20140119-2-any.pkg.tar.xz
debug: 1 signatures returned
debug: fingerprint: 68B3537F39A313B3E574D06777193F152BDBE6A6
debug: summary: (empty)
debug: status: Success
debug: timestamp: 1658926747
debug: exp_timestamp: 0
debug: validity: unknown; reason: Success
debug: key: 68B3537F39A313B3E574D06777193F152BDBE6A6, Arch Linux ARM Build System <builder@archlinuxarm.org>, owner_trust unknown, disabled 0
debug: signature is valid
debug: signature is unknown trust
error: '/var/cache/pacman/pkg/archlinuxarm-keyring-20140119-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
debug: unregistering database 'local'
...
[/code]
[code]
# pacman-key --gpgdir "${NEWROOT}"/etc/pacman.d/gnupg --list-keys
pub rsa4096 2024-01-13 [SC]
<theGeneratedOne]
uid [ultimate] Pacman Keyring Master Key <pacman@localhost>
pub rsa4096 2014-01-18 [SC]
68B3537F39A313B3E574D06777193F152BDBE6A6
uid [ unknown] Arch Linux ARM Build System <builder@archlinuxarm.org>
sub rsa4096 2014-01-18 [E]
[/code]
EDIT1: Looks related tomake_clickable_callback(MAGIC_URL_LOCAL, ' ', 'https://archlinuxarm.org/forum', 'viewtopic.php?f=15&t=16701', ' class="postlink-local"') since I now have "68B3537F39A313B3E574D06777193F152BDBE6A6" marginally trusted.
- vindicator
- Posts: 14
- Joined: Sat Jan 21, 2017 5:31 am
Re: Package integrity check failing
by uhhyeahbret » Tue Jan 16, 2024 9:11 pm
Running into this as well on one of my hosts.
According tomake_clickable_callback(MAGIC_URL_FULL, ' ', 'https://wiki.archlinux.org/title/Pacman/Package_signing#Upgrade_system_regularly', '', ' class="postlink"') the archlinux-keyring-wkd-sync.service is supposed to run periodically and avoid this issue. I forced a ran recently and got this error:
[code]
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[11061]: sub rsa4096 2020-11-16 [S] [expires: 2025-11-15]
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[11061]: sub cv25519 2020-11-15 [E] [expires: 2025-11-14]
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Skipping key C75558EF69F6022AEBB406B9208F4A2651787967 with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'johannes@kyriasis.com', '', '')...
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Skipping key C57F35931F317BF9058F834F682758BC60D8F87A with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'chris@the-brannons.com', '', '')...
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Skipping key 1793DAD5D803A8FFD7451697BB992F9864FAD168 with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'dave@sleepmap.de', '', '')...
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Error refreshing key 48C3B1F30DDD0FE67E516D16396E3E25BAB142C1 with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'keenerd@archlinux.org', '', '').
Jan 16 21:07:08 tp1 systemd[1]: archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=1/FAILURE
Jan 16 21:07:08 tp1 systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.
Jan 16 21:07:08 tp1 systemd[1]: archlinux-keyring-wkd-sync.service: Consumed 9.066s CPU time.
[/code]
Perhaps related?
According tomake_clickable_callback(MAGIC_URL_FULL, ' ', 'https://wiki.archlinux.org/title/Pacman/Package_signing#Upgrade_system_regularly', '', ' class="postlink"') the archlinux-keyring-wkd-sync.service is supposed to run periodically and avoid this issue. I forced a ran recently and got this error:
[code]
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[11061]: sub rsa4096 2020-11-16 [S] [expires: 2025-11-15]
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[11061]: sub cv25519 2020-11-15 [E] [expires: 2025-11-14]
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Skipping key C75558EF69F6022AEBB406B9208F4A2651787967 with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'johannes@kyriasis.com', '', '')...
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Skipping key C57F35931F317BF9058F834F682758BC60D8F87A with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'chris@the-brannons.com', '', '')...
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Skipping key 1793DAD5D803A8FFD7451697BB992F9864FAD168 with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'dave@sleepmap.de', '', '')...
Jan 16 21:07:08 tp1 archlinux-keyring-wkd-sync[7726]: Error refreshing key 48C3B1F30DDD0FE67E516D16396E3E25BAB142C1 with UIDmake_clickable_callback(MAGIC_URL_EMAIL, ' ', 'keenerd@archlinux.org', '', '').
Jan 16 21:07:08 tp1 systemd[1]: archlinux-keyring-wkd-sync.service: Main process exited, code=exited, status=1/FAILURE
Jan 16 21:07:08 tp1 systemd[1]: archlinux-keyring-wkd-sync.service: Failed with result 'exit-code'.
Jan 16 21:07:08 tp1 systemd[1]: archlinux-keyring-wkd-sync.service: Consumed 9.066s CPU time.
[/code]
Perhaps related?
- uhhyeahbret
- Posts: 12
- Joined: Thu Sep 03, 2015 11:10 am
Re: Package integrity check failing
by uhhyeahbret » Tue Jan 16, 2024 9:58 pm
This seemed to work for me:
GNUPGHOME=/etc/pacman.d/gnupg/ gpg --refresh-keys --allow-weak-key-signatures
Not sure why only one of my hosts is having issues.
Here is the output of different key refreshes, with the --allow-weak-key-signatures flag being the only one to fix it:
make_clickable_callback(MAGIC_URL_FULL, '
', 'https://gist.github.com/bcomnes/52445633d97246fc076daecb3150bab6', '', ' class="postlink"')
GNUPGHOME=/etc/pacman.d/gnupg/ gpg --refresh-keys --allow-weak-key-signatures
Not sure why only one of my hosts is having issues.
Here is the output of different key refreshes, with the --allow-weak-key-signatures flag being the only one to fix it:
make_clickable_callback(MAGIC_URL_FULL, '
', 'https://gist.github.com/bcomnes/52445633d97246fc076daecb3150bab6', '', ' class="postlink"')
- uhhyeahbret
- Posts: 12
- Joined: Thu Sep 03, 2015 11:10 am
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 9 guests