Just like in the title PGP signature of FF 113 doesn't match. Failed to commit the transaction.
Its not the first time in recent weeks that we're getting invalid signatures (and compromised packages?). Are we loosing the chain of trust with Artix?
Update:
THESE ARE TWO MIRROR SERVERS THAT I HAVE ON TOP:
Server = https://eu-mirror.artixlinux.org/repos/$repo/os/$arch
Server = https://artix.unixpeople.org/repos/$repo/os/$arch
Switched to one of the defaults (slow) and the transaction went through. Since I had started to notice, more and more, that some signatures don't match on updates, it would be probably wise to investigate those two mirrors. I have quite stable connection, so I wouldn't blame it on it. Also worth noting never ever this happened on the mirrors on Debian here (main security + mirrors).
lol
I do not remember allowing you or anyone else to speak on my behalf.
If you update infrequently you might have outdated keys, updating the packages related to keys and signature checking, especially the relevant keyring, before running the full update could help. The firefox package is in the arch repo extra, and the keys were updated recently:
archlinux-keyring 20230504-1
I have a script to clean and renew the keys :
It's a very short script:
rm -vfR /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate artix
pacman -S artix-keyring
pacman -S archlinux-keyring
If you are talking about the firefox package in world, in the mirror you suggested, the file is empty (sometimes rsync fails like this) and not corrupted/mangled with as you would have suggested https://eu-mirror.artixlinux.org/repos/world/os/x86_64/firefox-113.0.1-1-x86_64.pkg.tar.zst
Since this is a repo mirror issue and nothing related to security I've edited your post.
Fixed.
Hmm, rsync failed? Never failed on me (kio should use rsync). And it didn't look, when pacman was downloading that nothing downloads. It would then not show progress for "zero length" file, would it? I'll switch to fast repos again. Well see. I don't do banking here.
RTFM:
https://wiki.artixlinux.org/Main/Repositories
man pacman
man pacman.conf
man checkupdates
https://wiki.archlinux.org/title/Mirrors#Sorting_mirrors
It is recommended to repeat this reading process regularly, until enough grey matter is created in the cavity between the left and right ear to sustainably understand the update process.
1. Shouldn't it be $ pacman -Sy gnupg artix-keyring ?
2. $ "pacman -Ss archlinux-keyring" returns nothing, no such package because its moved to UNIVERSE
2a) yet another AUR (aka UNIVERSE) may mess up main packages (libreoffice, liborcus, etc)
Artix Universe won't mess up anything, I could try to explain to you why and after what discussion with the arch devs that became needed for the arch support-systemd stubs-etc, but I won't bother. And libreoffice was a separate issue.
Look up the complete mess that is the Chaotic-AUR repo for instance if you want "yet another AUR". Keep mocking like that and you won't last long here.
///
To refresh the keys most of the time you just need run pacman-key --refresh-keys.
The guy probably meant a full reinitialization of keys where he's also using archlinux-support (most of us do).