Pacman keyring issues

Sometimes it happens that you get errors like this:

error: signature from "xyz <[email protected]>" is unknown trust :: File /var/cache/pacman/pkg/packagename.tar.xz is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n]

Here are the usual fixes

sudo pacman-key --init
sudo pacman-key --populate archlinux endeavouros
sudo pacman-key --refresh-keys
sudo pacman -Syyu

Currently there are issues on the usage of open gpg-key-servers and yes archlinux is using them to sync the keys of developers, you may get an error message like this:

(4/4) checking package integrity                                       [#######################################] 100%
error: packagename: signature from "X Y <[email protected]>" is unknown trust
:: File /var/cache/pacman/pkg/packagename.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y

or you get this error on using sudo pacman-key --refresh-keys

sudo pacman-key --refresh-keys
gpg: refreshing 121 keys from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: General error
==> ERROR: A specified local key could not be updated from a keyserver.

It could be this keyserver problem with the default used keyserver from gnupg, but there is a simple fix, use another protocol or change the server used by default to one working for you. Mostly hkps:// server pool is failing currently and the hkp:// protocol is working but the server pacman used by default was:

hkps://pool.sks-keyservers.net

Caused by https://bugs.archlinux.org/task/71078 sks keyserver pool issues and gone obsolete default keyserver is now set to hkps://keyserver.ubuntu.com so currently (August 2021) there is no such issue other than WKD is still new and using pacman-key will spam a lot of errors because it does not get WKD data for keys (developer simply do not provide it mostly) Some info: https://wiki.gnupg.org/WKD.

If you got any such issue or may the default used keyserver is failing for you you can overwrite the default one by adding it to pacmans gpg.conf file:

sudo nano /etc/pacman.d/gnupg/gpg.conf

add a keyserver like so: keyserver hkps://pool.keyserver.net

no-greeting
no-permission-warning
lock-never
keyserver-options timeout=10
keyserver-options import-clean
keyserver-options no-self-sigs-only
keyserver hkps://pool.keyserver.net

Only one keyserver line is allowed adding more will simply be ignored.

save the file [Ctrl+X] and try again (to update system or renew pacman keys) it is also known that using hkp:// protocol is a workaround if you are behind a proxy.

Only EndeavourOS packages failed with key error:

There are also some harder ways if nothing helps:

sudo pacman-key --add /usr/share/pacman/keyrings/endeavouros.gpg 
sudo pacman-key --lsign-key 497AF50C92AD2384C56E1ACA003DB8B0CB23504F
sudo pacman-key --populate
sudo pacman-key --refresh-keys
sudo pacman -Syy

This will recopy EndeavourOS key back into pacmans keyring.

Connect with us:

Pacman keyring issues

  • by