Pacman Signature Fail

Just updated from a new install, and I get this error when installing new packages

error: libdca: signature from “Luca Giambonini XXX@XXXXX” is unknown trust
:: File /var/cache/pacman/pkg/libdca-0.0.5-3-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

I’ve read thru this

pacman.conf (2.7 KB)

do this:

# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Chakra GNU/Linux
# packagers with `pacman-key --populate chakra`.

source: /etc/pacman.conf

Got some odd results or at least I haven’t seen them respond before
pacman_log.txt (6.5 KB)

it is wired…
in your pacman log is a wrong path:

[root@fred-pc fred]# pacman-key --populate Chakra
==> ERROR: The keyring file /usr/share/pacman/keyrings/Chakra.gpg does not exist.

correct is this:

[tom@donar tmp]$ LC_ALL=C pacman -Qo /usr/share/pacman/keyrings/chakra.gpg 
/usr/share/pacman/keyrings/chakra.gpg is owned by chakra-keyring 20190324-4

is chakra-keyring installed?

The error was I used Chakra instead of the correct chakra.
Yes I have chakra-keyring installed.
I see I have keys for everyone except for Luca Giambonini.
pacman_log_2.txt (2.8 KB)

how to import a key https://wiki.archlinux.org/index.php/Pacman-key#Adding_developer_keys
unfortunately i haven’t his key

I ran the command to check keys and found Luca’s has expired. Are others experiencing this?
pub rsa4096 2014-11-23 [SCEA] [expired: 2019-11-25]
5076CA6B47A352DECDDE23ABC4F76A333DB6614F
uid [ expired] Luca Giambonini gluca86@gmail.com

1 Like

I ran the command to check keys and found Luca’s has expired. Are others experiencing this?
pub rsa4096 2014-11-23 [SCEA] [expired: 2019-11-25]
5076CA6B47A352DECDDE23ABC4F76A333DB6614F
uid [ expired] Luca Giambonini gluca86@gmail.com

@AlmAck you should check this

@Fred_Talmadge

i think this problem is on your system

[tom@donar ~]$ LC_ALL=C sudo pacman -S libdca
resolving dependencies...
looking for conflicting packages...

Packages (1) libdca-0.0.5-3

Total Download Size:   0.10 MiB
Total Installed Size:  0.25 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 libdca-0.0.5-3-x86_64            101.7 KiB   925 KiB/s 00:00 [#################################] 100%
(1/1) checking keys in keyring                                [#################################] 100%
(1/1) checking package integrity                              [#################################] 100%
(1/1) loading package files                                   [#################################] 100%
(1/1) checking for file conflicts                             [#################################] 100%
(1/1) checking available disk space                           [#################################] 100%
:: Processing package changes...
(1/1) installing libdca                                       [#################################] 100%
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[tom@donar ~]$ pacman -Q chakra-keyring 
chakra-keyring 20190324-4

in that case,you may want to make sure the keys in your pacman-key db is updated via

pacman-key --refresh-keys
2 Likes

after that Luca’s signature was updated but now the problem is with the
Samir’s signature “marginal”

pub   rsa4096 2013-08-24 [SC] [expires: 2020-08-11]
      3BC891A496ADE81C474ED4F482600055EBC85A93
uid           [marginal] Samir Benmendil <me@rmz.io>
uid           [marginal] Samir Benmendil <samir.benmendil@gmail.com>
sub   rsa4096 2013-08-24 [E] [expires: 2020-08-11]
1 Like

in that case, you can
pacman-key --lsign-key 3BC891A496ADE81C474ED4F482600055EBC85A93

1 Like

or run:

sudo pacman-key --refresh-keys

to update the keys

1 Like

Hello guys,
I have the same problem, too. Installing gimp I came up with the following errors:

error: libglade: signature from “Luca Giambonini XXX@XXXXX” is unknown trust
:: File /var/cache/pacman/pkg/libglade-2.6.4-4-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

error: pygtk: signature from “Luca Giambonini XXX@XXXXX” is unknown trust
:: File /var/cache/pacman/pkg/pygtk-2.24.0-3-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

following the post I launched the following commands to try to solve the problem by running the following commands:

$ sudo rm -r /etc/pacman.d/gnupg #remove all the keys installed in my system
re-add the default keys
$ sudo pacman-key --init # followed
$ sudo pacman-key --populate chakra
$ sudo pacman-key --refresh-keys
Finally
$ sudo pacman -Syu

The problem mentioned above remains. How can I fix and install gimp correctly?

I’m also facing that problem at least for some packages (recently for w3m e.g.) - not sure why it still happens even after I refreshed they keys.

Anyway, my workaround in these cases is that I temporarily change my pacman.conf as @totte recommended in another thread:

Then install/update the package and revert the edit.

Hope this helps for the time being.

I’ve ran all 3 sudo pacman-key commands (with --init, --populate chakra, and --refresh-keys options, respectively). I’ve also reinstalled chakra-keyring (temporarily editing /etc/pacman.conf to have SigLevel = Never DatabaseNever instead of the default SigLevel = Required DatabaseNever). But I’m still getting unknown trust signature errors on some packages.

Notably, the packages which have the errors seem to be mostly dependencies for old CCR packages. I’m guessing that I have the latest keys, but the packages were built and signed with older, now-expired keys.

To test my hypothesis, I’m going to look for my problem packages in Chakra’s Git repo and see when their PKGBUILDs were last updated. The packages I’m currently having issues with are libglade-2.6.4-4 and pygtk-2.24.0-3. I’ll edit this once I find the repo and the PKGBUILDs.

Edit: I couldn’t find a link to https://code.chakralinux.org, but it was in my browser history. Here are the results:

  1. pygtk's PKGBUILD is here and the last commit was on 2014-07-27, about 5½ years ago.
  2. Despite pacman -Ss libglade showing gtk/libglade as a result, its PKGBUILD is in the core repository here. The latest commit date is 2013-02-27, almost 7 years ago.
  3. I’m checking OP’s problem package. libdca is here and was last updated on 2016-01-19, 4 years ago.

Notably libdca installs fine for me, but is newer than the packages which are giving me trouble. Maybe there’s some sort of “maximum key age” configuration issue going on?

Edit (2020-02-18): With today’s updates I’m getting this error from pacman -Syuw:

error: chromium: signature from "Chaka Build Server (Automated Chakra Build System) <staff@chakralinux.org>" is unknown trust

Running sudo pacman-key --refresh-keys shows the key as gpg: key E3DBE174DC2F4138: "Chaka Build Server (Automated Chakra Build System) <staff@chakralinux.org>". Is this the right key? Did the key change?

Running sudo pacman-key --populate chakra and then sudo pacman-key --refresh-keys seems to add and “clean” default signatures. But running pacman -Syuw in between these commands (with the default signatures re-added and not “cleaned”) still fails on chromium.

1 Like

I have the same error when update chromium. IMHO, I think that this package error is because the gpg key belonging to "Chaka Build Server (Automated Chakra Build System) <staff@chakralinux.org>" expired at 2020-02-14 (as can be seen at https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE3DBE174DC2F4138).

If this is what happens, then key expiration date should be renewed someway.

2 Likes

This would be the original issue. Has this been resolved, i.e. has @AlmAck’s key been renewed? It is set to expire on 2020-12-12, according to the output I got on my system:

$ gpg --list-keys 0xC4F76A333DB6614F
pub   rsa4096/0xC4F76A333DB6614F 2014-11-23 [SCEA] [expires: 2020-12-12]
      Key fingerprint = 5076 CA6B 47A3 52DE CDDE  23AB C4F7 6A33 3DB6 614F
uid                   [ unknown] Luca Giambonini <gluca86@gmail.com>

I reported this issue here, please continue there.

3 Likes

…or the solution for lazy people: reinstall ckakra-keyring , this will trigger all necessary actions