Arch upgrade via pacman -Syu fails due to error: pam: signature is unknown trust
Linode
Linode Staff
Hi, I started a fresh arch linode and wanted to do an upgrade via "pacman -Syu". This fails, because a key of a developer (levente@leventepolyak.net), seems to be expired in linode's image. Can any of you please verify or advise how to resolve this?
Here's an excerpt of my command input/output for reference:
[root@localhost ~]# pacman -Syu
:: Synchronizing package databases...
core 137.9 KiB 175 KiB/s 00:01 [##########################################] 100%
extra 1565.6 KiB 2.78 MiB/s 00:01 [##########################################] 100%
community 6.0 MiB 7.28 MiB/s 00:01 [##########################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Packages (117) archlinux-keyring-20211028-1 argon2-20190702-4 audit-3.0.6-5 bash-5.1.012-1 binutils-2.36.1-3
brotli-1.0.9-7 ca-certificates-mozilla-3.73.1-1 cloud-init-21.4-2 coreutils-9.0-2 cryptsetup-2.4.2-3
curl-7.80.0-1 device-mapper-2.03.14-2 dhclient-4.4.2.P1-4 e2fsprogs-1.46.5-1 elfutils-0.186-2
expat-2.4.2-1 file-5.41-1 filesystem-2021.12.07-1 gawk-5.1.1-1 gcc-libs-11.1.0-3 gdbm-1.22-1
glib2-2.70.2-1 gnupg-2.2.32-2 gpgme-1.16.0-3 grep-3.7-1 grub-2:2.06-3 gzip-1.11-1 haveged-1.9.16-1
iana-etc-20211203-1 icu-70.1-1 inetutils-2.2-1 iotop-0.6-9 iproute2-5.15.0-2 iputils-20211215-1
json-c-0.15-2 krb5-1.19.2-2 ldns-1.8.1-1 libarchive-3.5.2-2 libcap-2.62-1 libcap-ng-0.8.2-6
libedit-20210910_3.1-1 libelf-0.186-2 libffi-3.4.2-4 libgpg-error-1.43-1 libldap-2.6.0-2
libnftnl-1.2.1-1 libnghttp2-1.46.0-1 libnsl-2.0.0-1 libp11-kit-0.24.0-2 libpipeline-1.5.4-1
libseccomp-2.5.3-3 libssh2-1.10.0-1 libtasn1-4.18.0-1 libxcrypt-4.4.27-1 libxml2-2.9.12-6
linux-5.15.12.arch1-1 linux-firmware-20211027.1d00989-1 mkinitcpio-31-2 mkinitcpio-busybox-1.34.1-1
nano-6.0-1 ncurses-6.3-1 openssh-8.8p1-1 openssl-1.1.1.m-1 p11-kit-0.24.0-2 pacman-6.0.1-2
pacman-mirrorlist-20211212-1 pam-1.5.2-1 pambase-20211210-1 pcre2-10.39-1 perl-5.34.0-3 pinentry-1.2.0-1
popt-1.18-2 python-3.10.1-2 python-appdirs-1.4.4-6 python-attrs-21.3.0-1 python-cffi-1.15.0-3
python-chardet-4.0.0-5 python-configobj-5.0.6.r110.g3e2f4cc-3 python-cryptography-36.0.1-1
python-idna-3.3-3 python-importlib-metadata-4.8.1-3 python-jinja-3.0.3-3 python-jsonpatch-1.32-3
python-jsonpointer-2.1-3 python-jsonschema-3.2.0-6 python-markupsafe-2.0.1-3
python-more-itertools-8.10.0-4 python-netifaces-0.11.0-3 python-oauthlib-3.1.1-3
python-ordered-set-4.0.2-6 python-packaging-20.9-7 python-ply-3.11-10 python-pycparser-2.21-3
python-pyparsing-2.4.7-6 python-pyrsistent-0.18.0-3 python-requests-2.26.0-5 python-setuptools-1:57.4.0-6
python-six-1.16.0-5 python-urllib3-1.26.7-5 python-yaml-5.4.1.1-4 python-zipp-3.6.0-3 run-parts-5.5-1
sqlite-3.37.1-1 sudo-1.9.8.p2-3 sysstat-12.5.5-1 systemd-250-4 systemd-libs-250-4
systemd-sysvcompat-250-4 tzdata-2021e-1 util-linux-2.37.2-4 util-linux-libs-2.37.2-4 vim-8.2.3890-1
vim-runtime-8.2.3890-1 whois-5.5.11-1 xz-5.2.5-2 zlib-1:1.2.11-5 zstd-1.5.1-2
Total Download Size: 459.63 MiB
Total Installed Size: 1500.32 MiB
Net Upgrade Size: 90.53 MiB
:: Proceed with installation? [Y/n] y
:: Retrieving packages...
archlinux-keyring-20211028-1-any 979.1 KiB 1419 KiB/s 00:01 [##########################################] 100%
iana-etc-20211203-1-any 391.1 KiB 686 KiB/s 00:01 [##########################################] 100%
filesystem-2021.12.07-1-x86_64 14.5 KiB 27.6 KiB/s 00:01 [##########################################] 100%
[…]
linux-5.15.12.arch1-1-x86_64 129.9 MiB 7.40 MiB/s 00:18 [##########################################] 100%
linux-firmware-20211027.1d00989-1-any 183.4 MiB 10.5 MiB/s 00:18 [##########################################] 100%
nano-6.0-1-x86_64 597.9 KiB 1647 KiB/s 00:00 [##########################################] 100%
openssh-8.8p1-1-x86_64 1011.4 KiB 2.43 MiB/s 00:00 [##########################################] 100%
pacman-mirrorlist-20211212-1-any 7.1 KiB 22.7 KiB/s 00:00 [##########################################] 100%
pacman-6.0.1-2-x86_64 915.2 KiB 2.08 MiB/s 00:00 [##########################################] 100%
perl-5.34.0-3-x86_64 15.4 MiB 7.73 MiB/s 00:02 [##########################################] 100%
sysstat-12.5.5-1-x86_64 418.1 KiB 1161 KiB/s 00:00 [##########################################] 100%
systemd-sysvcompat-250-4-x86_64 5.7 KiB 17.7 KiB/s 00:00 [##########################################] 100%
vim-runtime-8.2.3890-1-x86_64 6.5 MiB 5.74 MiB/s 00:01 [##########################################] 100%
vim-8.2.3890-1-x86_64 2.0 MiB 3.62 MiB/s 00:01 [##########################################] 100%
whois-5.5.11-1-x86_64 40.6 KiB 125 KiB/s 00:00 [##########################################] 100%
Total (117/117) 459.6 MiB 4.51 MiB/s 01:42 [##########################################] 100%
(117/117) checking keys in keyring [##########################################] 100%
(117/117) checking package integrity [##########################################] 100%
error: pam: signature from "Levente Polyak (anthraxx) <levente@leventepolyak.net>" is unknown trust
:: File /var/cache/pacman/pkg/pam-1.5.2-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: pinentry: signature from "Levente Polyak (anthraxx) <levente@leventepolyak.net>" is unknown trust
:: File /var/cache/pacman/pkg/pinentry-1.2.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: inetutils: signature from "Levente Polyak (anthraxx) <levente@leventepolyak.net>" is unknown trust
:: File /var/cache/pacman/pkg/inetutils-2.2-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: libedit: signature from "Levente Polyak (anthraxx) <levente@leventepolyak.net>" is unknown trust
:: File /var/cache/pacman/pkg/libedit-20210910_3.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: perl: signature from "Levente Polyak (anthraxx) <levente@leventepolyak.net>" is unknown trust
:: File /var/cache/pacman/pkg/perl-5.34.0-3-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
The "[…]" in the input/outputs above represents the several other packages that didn't have any issues during the upgrade process
3 Replies
astable
Linode Staff
Hello there,
That's a great question. From my research this can happen sometimes on Arch distributions. You can inform Linode by creating a ticket to request support or any of the other regular means for contacting Linode support so they can correct it.
But in the meantime you can get things going by running this command:
pacman -S archlinux-keyring
Then you can re-run your upgrade command "pacman -Syu" to fix this.
I believe you can also run this one-liner command altogether as well to update the keyring and run the upgrade back-to-back:
pacman -Sy archlinux-keyring && pacman -Syyu
Good luck!
Arty
The issue here is the default enabled mirror of the ArchLinux image being out-of-sync (so does not have the latest archlinux-keyring package)
By default the mirror enabled is:
http://mirrors.kernel.org/archlinux/$repo/os/$arch
Which at the time of writing has archlinux-keyring package version:
archlinux-keyring 20210820-1
yet the newest version of that package is - 20211028-1
(https://archlinux.org/packages/core/any/archlinux-keyring/)
One of the first things i suggest doing on any fresh install of Arch is specify a new mirror than the default (one that is closer to your machine and better in sync). A list of mirrors is available here:
https://archlinux.org/mirrors/status/
To fix this issue after a fresh instance install:
- Change the pacman mirror
nano /etc/pacman.d/mirrorlist
(I chose to use OVH's mirror)
Server = http://archlinux.mirrors.ovh.net/archlinux/$repo/os/$arch
- Refresh pacman's cache of the packages available from the repo
pacman -Sy
- Install the new archlinux-keyring package
pacman -S archlinux-keyring
- Upgrade all other packages as normal
pacman -Syu
Linode's current Arch Linux image has mirror lists that are again out-of-date, and trying to do pacman -Syu on a freshly deployed server will fail. Trying to re-install the archlinux-keyring package will not help. What we need to do first is to trash the local database, forcing pacman to re-download the latest list of packages and mirrors.
So, the command sequence should be:
- As soon as your new Arch Linux server is deployed, ssh into it as root, and force a local pacman database rebuild with:
pacman -Syy
- Then, reinstall the archlinux-keyring package:
pacman -S archlinux-keyring
- Finally, do your full system upgrade:
pacman -Syu
I've reported the issue to Linode Support, and they are currently escalating it. I'm sure it will be resolved soon, but the fact that it keeps popping up again and again periodically probably indicates that a new process/system for generating these Arch Linux images - and keeping them updated - is needed…