[why]

I've only recently installed Arch Linux Arm, and I get an error message trying to install any package using [code]pacman[/code].
The command I do: [code]pacman -S vim[/code]

And the error it throws:
[code][root@alarm alarm]# pacman -S sudo
resolving dependencies...
looking for conflicting packages...

Packages (1) sudo-1.9.15.p5-1

Total Download Size: 1.68 MiB
Total Installed Size: 8.05 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
sudo-1.9.15.p5-1-aarch64 1722.7 KiB 1485 KiB/s 00:01 [###############################################################] 100%(1/1) checking keys in keyring [###############################################################] 100%
(1/1) checking package integrity [###############################################################] 100%
error: sudo: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is marginal trust
:: File /var/cache/pacman/pkg/sudo-1.9.15.p5-1-aarch64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.[/code]

This is a new experience with arch linux for me, so I would be very grateful if a fix could be provided. Thank you.

[graysky]

Not sure, try this first:
[code]
# pacman -Syy
# pacman -S archlinuxarm-keyring
# pacman -S sudo
[/code]

[lynix]

Same issue here, in a Docker container.

Not sure either but I suspect the ALARM packaging key (created 2014-01-18) seems to have dropped to marginal trust with recent PGP versions. Maybe it uses SHA1 for signatures, at least I got this warning when doing 'pacman-key --populate':

[code]
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
[/code]

[lynix]

Confirmed, the ALARM packaging key is the issue.

Unfortunately you can't even override key trust via 'pacman-key --edit-key', even after setting it to 'ultimate' trust it still gets listed as 'marginal'. My current workaround is to disable signature checking entirely via pacman.conf.

Yet another thing falling apart due to lack of care, like this broken forum This distro is basically unmaintained, I guess I'll need to start looking for alternatives. Such a shame, I hope Arch will add official support for aarch64.

[why]

Hopefully. Thanks a lot for your help.

[ffaille]

GnuPG now reject key signatures using the SHA1 algorithm (that seems to be used in keys inside archlinuxarm-keyring package).

The workaround is to reset all the keys, allow SHA1 algorithm for key signatures and reload the default keys from the archlinuxarm keyring.

Workaround commands (as root) :
rm -rf /etc/pacman.d/gnupg
pacman-key --init
echo "allow-weak-key-signatures" >> /etc/pacman.d/gnupg/gpg.conf
pacman-key --populate archlinuxarm

Sources :
https://wiki.archlinux.org/title/Pacman/Package_signing#Resetting_all_the_keys
https://man.archlinux.org/man/gpg.1.en#allow-weak-key-signatures
https://man.archlinux.org/man/pacman-key.8

And... for the forum, you can tick "Disable BBCode" and "Do not automatically parse URLs" options before submit a post... Smilies still work

[ffaille]

Just saw that @mocknen already gave advice in another topic some days ago :
https://archlinuxarm.org/forum/viewtopic.php?f=15&t=16701#p72081