Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: [SOLVED] Signature problem when installing package (Read 6298 times) previous topic - next topic
0 Members and 4 Guests are viewing this topic.

[SOLVED] Signature problem when installing package

I tried to do
Code: [Select]
sudo pacman -Syu
and it failed with
Code: [Select]
error: python-dotenv: signature from "Morten Linderud <[email protected]>" is marginal trust
:: File /var/cache/pacman/pkg/python-dotenv-0.18.0-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

I have tried the below, to no avail
Quote from: alium – on
Code: [Select]
pacman -S artix-keyring
pacman-key --populate artix
does not help you?

Does anyone know what else I can try to fix this?

Re: Signature problem when installing package

Reply #1
This package is from Archlinux repositories.
I would try to reinstall "archlinux-keyring" and try again.
Code: [Select]
pacman -S archlinux-keyring

Re: Signature problem when installing package

Reply #4
Also if that doesn't work, try a different mirror at the top of your /etc/pacman.d/mirrorlist-arch after deleting the corrupted package.
It installed fine for me.

Re: Signature problem when installing package

Reply #5
I am totally out of ideas. I have read the recommended manual and wiki and done some more searching online.

I checked that my hw clock is correct https://wiki.archlinux.org/title/Pacman#Signature_from_%22User_%[email protected]%3E%22_is_invalid,_installation_failed
Quote
Make sure to correct the system time, for example with ntpd -qg run as root, and run hwclock -w as root before subsequent installations or upgrades.

I refreshed my pacman keys  (this did not work)
Code: [Select]
sudo pacman-key --refresh-keys

Then I tried (again this did not work)
Code: [Select]
sudo rm -fr /etc/pacman.d/gnupg
sudo pacman-key --init
sudo pacman-key --populate archlinux artix
sudo pacman -Syy archlinux-keyring artix-keyring
sudo pacman -Syu

I tried multiple different mirrors in my /etc/pacman.d/mirrorlist-arch

I cleared my cache with
Code: [Select]
sudo pacman -Scc

And still I get the same marginal trust signature error :(
 

Re: Signature problem when installing package

Reply #6
I found out I can bypass this by locally signing the signature with
Code: [Select]
sudo pacman-key --lsign-key 9C02FF419FECBE16

I am still curious though as to why his signature is marginal trust. I listed the keys with
Code: [Select]
--list-keys
and searched for Morten Linderud. What I found was something like this
Code: [Select]
pub   rsa4096 2014-09-05 [SC]
      C100346676634E80C940FB9E9C02FF419FECBE16
uid           [  full  ] Morten Linderud <[email protected]>
sig 3        9C02FF419FECBE16 2014-11-06  Morten Linderud <[email protected]>
sig          12C87A28FEAC6B20 2019-10-07  Maxim Baz <[email protected]>
sig          46F633CBB0EB4BF2 2019-10-06  Filipe Laíns (FFY00) <[email protected]>
sig   L      6AFE32CBA31EEE2B 2021-07-05  Pacman Keyring Master Key <pacman@localhost>
rev   L      6AFE32CBA31EEE2B 2021-07-05  Pacman Keyring Master Key <pacman@localhost>
sig          6E80CA1446879D04 2019-10-07  Jonas Witschel <[email protected]>
sig 3        786C63F330D7CB92 2019-10-06  Felix Yan <[email protected]>
sig          89AA27231C530226 2019-10-10  Konstantin Gizdov <[email protected]>
sig 3        8DBD63B82072D77A 2019-10-13  Sébastien Luttringer <[email protected]>
sig          94657AB20F2A092B 2019-10-05  Andreas Radke <[email protected]>
sig          9B729B06A680C281 2017-09-22  Bartłomiej Piotrowski (Arch Linux Master Key) <[email protected]>
sig          A5E9288C4FA415FA 2017-03-31  Jan Alexander Steffens (heftig) <[email protected]>
sig          A88E23E377514E00 2017-09-20  Florian Pritz (Arch Linux Master Key) <[email protected]>
sig          BA1DFB64FFF979E7 2017-10-03  Allan McRae (Arch Linux Master Key) <[email protected]>
sig          C91A9911192C187A 2019-11-14  Daurnimator <[email protected]>
uid           [  full  ] Morten Linderud <[email protected]>
sig 3        9C02FF419FECBE16 2014-11-06  Morten Linderud <[email protected]>
sig          12C87A28FEAC6B20 2019-10-07  Maxim Baz <[email protected]>
sig          46F633CBB0EB4BF2 2019-10-06  Filipe Laíns (FFY00) <[email protected]>
sig   L      6AFE32CBA31EEE2B 2021-07-05  Pacman Keyring Master Key <pacman@localhost>
rev   L      6AFE32CBA31EEE2B 2021-07-05  Pacman Keyring Master Key <pacman@localhost>
sig          6E80CA1446879D04 2019-10-07  Jonas Witschel <[email protected]>
sig 3        786C63F330D7CB92 2019-10-06  Felix Yan <[email protected]>
sig          89AA27231C530226 2019-10-10  Konstantin Gizdov <[email protected]>
sig 3        8DBD63B82072D77A 2019-10-13  Sébastien Luttringer <[email protected]>
sig          94657AB20F2A092B 2019-10-05  Andreas Radke <[email protected]>
sig          9B729B06A680C281 2017-09-22  Bartłomiej Piotrowski (Arch Linux Master Key) <[email protected]>
sig          A5E9288C4FA415FA 2017-03-31  Jan Alexander Steffens (heftig) <[email protected]>
sig          A88E23E377514E00 2017-09-20  Florian Pritz (Arch Linux Master Key) <[email protected]>
sig          BA1DFB64FFF979E7 2017-10-03  Allan McRae (Arch Linux Master Key) <[email protected]>
sig          C91A9911192C187A 2019-11-14  Daurnimator <[email protected]>
uid           [marginal] Morten Linderud <[email protected]>
sig 3        9C02FF419FECBE16 2017-10-02  Morten Linderud <[email protected]>
sig          12C87A28FEAC6B20 2019-10-07  Maxim Baz <[email protected]>
sig          3348882F6AC6A4C2 2018-10-03  Pierre Schmitz (Arch Linux Master Key) <[email protected]>
sig          46F633CBB0EB4BF2 2019-10-06  Filipe Laíns (FFY00) <[email protected]>
sig   L      6AFE32CBA31EEE2B 2021-07-05  Pacman Keyring Master Key <pacman@localhost>
rev   L      6AFE32CBA31EEE2B 2021-07-05  Pacman Keyring Master Key <pacman@localhost>
...

The Line that intrigued me was "uid           [marginal] Morten Linderud <[email protected]>".
I then checked
Code: [Select]
less /var/cache/pacman/pkg/python-dotenv-0.18.0-1-any.pkg.tar.zst.sig
and while it wasn't human readable I was able to get an email (see attached image). This email corresponds with the line I found when listing the signatures. I believe the marginal trust is somehow related to the email.

At this point I don't have an issue anymore with updating my packages but in the process I have become curious as to how the signing of packages work.

Can someone maybe explain how signing works? How This Morten has so many different emails I can see when listing signatures and why the package which was presumably always trusted is now only marginally trusted?

Re: Signature problem when installing package

Reply #7
This is not an artix problem.
Moved.

Re: Signature problem when installing package

Reply #8
https://forum.artixlinux.org/index.php/topic,2602.0/prev_next,next.html
https://bbs.archlinux.org/viewtopic.php?id=266337
https://bugs.archlinux.org/task/70818
https://lists.archlinux.org/pipermail/arch-dev-public/2021-May/030431.html
Possibly from those links, check if you have gnupg 2.3, (I have 2.2.28-2 installed) and try:
Code: [Select]
pacman -Sy gnupg
or
pacman -S gpgme gnupg

Re: Signature problem when installing package

Reply #9
Quote from: Hupernikao – on
Can someone maybe explain how signing works? How This Morten has so many different emails I can see when listing signatures and why the package which was presumably always trusted is now only marginally trusted?
https://gnupg.org/documentation/index.html

Then, for example:
https://gnupg.org/gph/en/manual.html#CONCEPTS

Also: man gpg

Re: Signature problem when installing package

Reply #10
Quote from: ####### – on
https://forum.artixlinux.org/index.php/topic,2602.0/prev_next,next.html
https://bbs.archlinux.org/viewtopic.php?id=266337
https://bugs.archlinux.org/task/70818
https://lists.archlinux.org/pipermail/arch-dev-public/2021-May/030431.html
Possibly from those links, check if you have gnupg 2.3, (I have 2.2.28-2 installed) and try:
Code: [Select]
pacman -Sy gnupg
or
pacman -S gpgme gnupg

This solved the problem. Thank you very much. It downgraded my gnupg to 2.2.28-2. After the downgrade I could install python-dotenv without having to manually sign the signature.