Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: Invalid packages in the latest update (Read 4040 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Invalid packages in the latest update

Hello,

I've just been updating my manjaro -> artix machine, and I've run into a bit of a problem: The libsodium and imagemagick packages don't want to update because their PGP signature is apparently invalid. Here's the complaint in full:

error: imagemagick: signature from "Cromnix (Buildbot) <[email protected]>" is invalid
:: File /var/cache/pacman/pkg/imagemagick-6.9.9.20-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: libsodium: signature from "Cromnix (Buildbot) <[email protected]>" is invalid
:: File /var/cache/pacman/pkg/libsodium-1.0.15-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)

Thoughts? I don't really want to install them without a valid signature, as I believe that's a security risk.

(Also, the last "What's your favourite colour?" verification question whilst registering was rather confusing, and I ended up guessing!)

--Starbeamrainbowlabs

Re: Invalid packages in the latest update

Reply #1
You can find the answer in Announcements, [Re: New primary mirror] open from thefallenrat.  :D


Re: Invalid packages in the latest update

Reply #2
This should have been fixed with the recent update. Please refresh the databse (-Syy) and re-update again.

Relevant topic : 

https://artixlinux.org/forum/index.php?topic=148.0
If I can hit that bullseye, the rest of the dominoes will fall like a house of cards. Checkmate!

Re: Invalid packages in the latest update

Reply #3
Code: [Select]
error: failed retrieving file 'yelp-tools-3.18.0+1+g193c2bd-2-any.pkg.tar.xz' from www.uex.dk : The requested URL returned error: 404
error: failed retrieving file 'yelp-tools-3.18.0+1+g193c2bd-2-any.pkg.tar.xz' from www.uex.dk : The requested URL returned error: 404
warning: failed to retrieve some files
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.


Is this a mirror error?
I have been away for a few days and just logged in and tried to update.  Even ignoring the pkg doesn't help,  No updates could be done.

Re: Invalid packages in the latest update

Reply #4
Putting yelp-tools in pacman.conf as ignored-pkgs seems to free up the upgrade.

Re: Invalid packages in the latest update

Reply #5
Code: [Select]
Synchronizing package databases...
Starting full system upgrade...

Warning: yelp-tools: ignoring package upgrade (3.18.0+1+g193c2bd-1 => 3.18.0+1+g193c2bd-2)
Resolving dependencies...
Checking inter-conflicts...
Downloading...
Downloading at-spi2-core-2.26.2-1-x86_64.pkg.tar.xz...
Checking keyring...
Checking integrity...
Error: at-spi2-core: signature from "Cromnix (Buildbot) <[email protected]>" is invalid

Failed to commit transaction:
invalid or corrupted package:

Re: Invalid packages in the latest update

Reply #6
Quote
Error: at-spi2-core: signature from "Cromnix (Buildbot) <[email protected]>" is invalid
same here doing -Syu

Re: Invalid packages in the latest update

Reply #7
I fixed that.
Refresh your local repo dbs

Code: [Select]
pacman -Syyu

Re: Invalid packages in the latest update

Reply #8
Solved!

Re: Invalid packages in the latest update

Reply #9
@artoo Any idea why that keeps happening to some packages?

Re: Invalid packages in the latest update

Reply #10
@artoo Any idea why that keeps happening to some packages?

Yes, we know what causes it, it is related to the build pipeline and parsing the git changeset.There was also a bug on the jenkins plugin side that has been fixed by the jenkins devs.
In short, it happens, if the team push to a repo at the same time, and someone does has to do a pull again before he can push, because someone else pushed a wee bit earlier. This causes then a rebuild of already built packages, and they get signed again, and on the user end, this is what throws signature errors.

Re: Invalid packages in the latest update

Reply #11
I get this signature error this time with fzf, qutebrowser and udiskie

Code: [Select]

(134/134) checking package integrity                                                                                                    [###################################################################################] 100%
error: fzf: signature from "Ambrevar <[email protected]>" is unknown trust
:: File /var/cache/pacman/pkg/fzf-0.17.1-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: qutebrowser: signature from "Ambrevar <[email protected]>" is unknown trust
:: File /var/cache/pacman/pkg/qutebrowser-1.0.3-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: udiskie: signature from "Ambrevar <[email protected]>" is unknown trust
:: File /var/cache/pacman/pkg/udiskie-1.7.2-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.


how to solve it.
Keep it Simple. Simple is Secure, Simple is Beautiful.

Re: Invalid packages in the latest update

Reply #12
Code: [Select]
"Ambrevar <[email protected]>" is unknown trust

Refresh your arch's keyring
Code: [Select]
sudo pacman -Sy archlinux-keyring
sudo pacman-key --populate archlinux
sudo pacman-key --refresh-keys
If I can hit that bullseye, the rest of the dominoes will fall like a house of cards. Checkmate!

Re: Invalid packages in the latest update

Reply #13
Code: [Select]
libbytesize: signature from "Cromnix (Buildbot) <[email protected]>" is invalid

 unixodbc: signature from "Artix Buildbot <[email protected]>" is invalid
:: File /var/cache/pacman/pkg/unixodbc-2.3.4-2-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

 jemalloc: signature from "Artix Buildbot <[email protected]>" is invalid
:: File /var/cache/pacman/pkg/jemalloc-1:5.0.1-3-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

portaudio: signature from "Artix Buildbot <[email protected]>" is invalid
:: File /var/cache/pacman/pkg/portaudio-190600_20161030-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).


I just repeated the above procedure that Falling Angel prescribes a few minutes ago.
Only the first error from Cromnix went away.

Re: Invalid packages in the latest update

Reply #14
Sorry can't reproduce it ( Or maybe it has been fixed by other team member) :

Code: [Select]
world/jemalloc            1:5.0.1-3          1:5.0.1-3            0.00 MiB       0.27 MiB
galaxy-testing/portaudio  190600_20161030-1  190600_20161030-1    0.00 MiB       0.09 MiB
world-testing/unixodbc    2.3.4-2            2.3.4-2              0.00 MiB       0.21 MiB

Total Download Size:   0.57 MiB
Total Installed Size:  2.82 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 unixodbc-2.3.4-2-x86_64                                                      219.0 KiB   178K/s 00:01 [------------------------------------------------------------] 100%
 jemalloc-1:5.0.1-3-x86_64                                                    272.9 KiB   800K/s 00:00 [------------------------------------------------------------] 100%
 portaudio-190600_20161030-1-x86_64                                            93.6 KiB   306K/s 00:00 [------------------------------------------------------------] 100%
(3/3) checking keys in keyring                                                                         [------------------------------------------------------------] 100%
(3/3) checking package integrity                                                                       [------------------------------------------------------------] 100%
(3/3) loading package files                                                                            [------------------------------------------------------------] 100%
(3/3) checking for file conflicts                                                                      [------------------------------------------------------------] 100%
(3/3) checking available disk space                                                                    [------------------------------------------------------------] 100%
:: Processing package changes...
(1/3) reinstalling unixodbc                                                                            [------------------------------------------------------------] 100%
(2/3) reinstalling jemalloc                                                                            [------------------------------------------------------------] 100%
(3/3) reinstalling portaudio                                                                           [------------------------------------------------------------] 100%

You may try to delete the faulty packages at first try and redo the pacman command again
If I can hit that bullseye, the rest of the dominoes will fall like a house of cards. Checkmate!