Invalid packages in the latest update

Topic: Invalid packages in the latest update (Read 4356 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Invalid packages in the latest update

16 October 2017, 19:45:06

Hello,

I've just been updating my manjaro -> artix machine, and I've run into a bit of a problem: The libsodium and imagemagick packages don't want to update because their PGP signature is apparently invalid. Here's the complaint in full:

error: imagemagick: signature from "Cromnix (Buildbot) <cromnix@cromnix.org>" is invalid
:: File /var/cache/pacman/pkg/imagemagick-6.9.9.20-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: libsodium: signature from "Cromnix (Buildbot) <cromnix@cromnix.org>" is invalid
:: File /var/cache/pacman/pkg/libsodium-1.0.15-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)

Thoughts? I don't really want to install them without a valid signature, as I believe that's a security risk.

(Also, the last "What's your favourite colour?" verification question whilst registering was rather confusing, and I ended up guessing!)

--Starbeamrainbowlabs

Re: Invalid packages in the latest update

Reply #1 – 16 October 2017, 20:21:29

You can find the answer in Announcements, [Re: New primary mirror] open from thefallenrat.

Re: Invalid packages in the latest update

Reply #2 – 21 October 2017, 10:06:52

This should have been fixed with the recent update. Please refresh the databse (-Syy) and re-update again.

Relevant topic :

https://artixlinux.org/forum/index.php?topic=148.0

Re: Invalid packages in the latest update

Reply #3 – 01 November 2017, 17:08:50

Code: [Select]

error: failed retrieving file 'yelp-tools-3.18.0+1+g193c2bd-2-any.pkg.tar.xz' from www.uex.dk : The requested URL returned error: 404
error: failed retrieving file 'yelp-tools-3.18.0+1+g193c2bd-2-any.pkg.tar.xz' from www.uex.dk : The requested URL returned error: 404
warning: failed to retrieve some files
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.

Is this a mirror error?
I have been away for a few days and just logged in and tried to update. Even ignoring the pkg doesn't help, No updates could be done.

Re: Invalid packages in the latest update

Reply #4 – 01 November 2017, 17:23:27

Putting yelp-tools in pacman.conf as ignored-pkgs seems to free up the upgrade.

Re: Invalid packages in the latest update

Reply #5 – 01 November 2017, 17:25:18

Code: [Select]

Synchronizing package databases...
Starting full system upgrade...

Warning: yelp-tools: ignoring package upgrade (3.18.0+1+g193c2bd-1 => 3.18.0+1+g193c2bd-2)
Resolving dependencies...
Checking inter-conflicts...
Downloading...
Downloading at-spi2-core-2.26.2-1-x86_64.pkg.tar.xz...
Checking keyring...
Checking integrity...
Error: at-spi2-core: signature from "Cromnix (Buildbot) <cromnix@cromnix.org>" is invalid

Failed to commit transaction:
invalid or corrupted package:

Re: Invalid packages in the latest update

Reply #6 – 02 November 2017, 12:52:38

Quote

Error: at-spi2-core: signature from "Cromnix (Buildbot) <cromnix@cromnix.org>" is invalid

same here doing -Syu

Re: Invalid packages in the latest update

Reply #7 – 02 November 2017, 12:55:50

I fixed that.
Refresh your local repo dbs

Code: [Select]

pacman -Syyu

Re: Invalid packages in the latest update

Reply #8 – 02 November 2017, 15:05:47

Solved!

Re: Invalid packages in the latest update

Reply #9 – 02 November 2017, 17:51:16

@artoo Any idea why that keeps happening to some packages?

Re: Invalid packages in the latest update

Reply #10 – 02 November 2017, 18:58:06

Quote from: physkets – on 02 November 2017, 17:51:16

@artoo Any idea why that keeps happening to some packages?

Yes, we know what causes it, it is related to the build pipeline and parsing the git changeset.There was also a bug on the jenkins plugin side that has been fixed by the jenkins devs.
In short, it happens, if the team push to a repo at the same time, and someone does has to do a pull again before he can push, because someone else pushed a wee bit earlier. This causes then a rebuild of already built packages, and they get signed again, and on the user end, this is what throws signature errors.

Re: Invalid packages in the latest update

Reply #11 – 08 November 2017, 00:50:03

I get this signature error this time with fzf, qutebrowser and udiskie

Code: [Select]


(134/134) checking package integrity                                                                                                    [###################################################################################] 100%
error: fzf: signature from "Ambrevar <ambrevar@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/fzf-0.17.1-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: qutebrowser: signature from "Ambrevar <ambrevar@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/qutebrowser-1.0.3-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: udiskie: signature from "Ambrevar <ambrevar@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/udiskie-1.7.2-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

how to solve it.

Re: Invalid packages in the latest update

Reply #12 – 08 November 2017, 04:52:45

Code: [Select]

"Ambrevar <ambrevar@gmail.com>" is unknown trust

Refresh your arch's keyring

Code: [Select]

sudo pacman -Sy archlinux-keyring
sudo pacman-key --populate archlinux
sudo pacman-key --refresh-keys

Re: Invalid packages in the latest update

Reply #13 – 12 November 2017, 09:37:06

Code: [Select]

libbytesize: signature from "Cromnix (Buildbot) <cromnix@cromnix.org>" is invalid

 unixodbc: signature from "Artix Buildbot <buildbot@artixlinux.org>" is invalid
:: File /var/cache/pacman/pkg/unixodbc-2.3.4-2-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

 jemalloc: signature from "Artix Buildbot <buildbot@artixlinux.org>" is invalid
:: File /var/cache/pacman/pkg/jemalloc-1:5.0.1-3-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

portaudio: signature from "Artix Buildbot <buildbot@artixlinux.org>" is invalid
:: File /var/cache/pacman/pkg/portaudio-190600_20161030-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

I just repeated the above procedure that Falling Angel prescribes a few minutes ago.
Only the first error from Cromnix went away.

Re: Invalid packages in the latest update

Reply #14 – 12 November 2017, 10:47:37

Sorry can't reproduce it ( Or maybe it has been fixed by other team member) :

Code: [Select]

world/jemalloc            1:5.0.1-3          1:5.0.1-3            0.00 MiB       0.27 MiB
galaxy-testing/portaudio  190600_20161030-1  190600_20161030-1    0.00 MiB       0.09 MiB
world-testing/unixodbc    2.3.4-2            2.3.4-2              0.00 MiB       0.21 MiB

Total Download Size:   0.57 MiB
Total Installed Size:  2.82 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 unixodbc-2.3.4-2-x86_64                                                      219.0 KiB   178K/s 00:01 [------------------------------------------------------------] 100%
 jemalloc-1:5.0.1-3-x86_64                                                    272.9 KiB   800K/s 00:00 [------------------------------------------------------------] 100%
 portaudio-190600_20161030-1-x86_64                                            93.6 KiB   306K/s 00:00 [------------------------------------------------------------] 100%
(3/3) checking keys in keyring                                                                         [------------------------------------------------------------] 100%
(3/3) checking package integrity                                                                       [------------------------------------------------------------] 100%
(3/3) loading package files                                                                            [------------------------------------------------------------] 100%
(3/3) checking for file conflicts                                                                      [------------------------------------------------------------] 100%
(3/3) checking available disk space                                                                    [------------------------------------------------------------] 100%
:: Processing package changes...
(1/3) reinstalling unixodbc                                                                            [------------------------------------------------------------] 100%
(2/3) reinstalling jemalloc                                                                            [------------------------------------------------------------] 100%
(3/3) reinstalling portaudio                                                                           [------------------------------------------------------------] 100%

You may try to delete the faulty packages at first try and redo the pacman command again