Antergos Won’t Update Due to Broken signing system (refresh-keys doesn’t work)

I devised some steps below that I combined from several solutions from various forum posts, after trying many methods alone, none of which worked. This method avoids using the workaround which permanently sets SigLevel to Never in /etc/pacman.conf and leaving signing broken.

First, to understand and prevent this problem in the future, take a look at this really interesting comment from 3 months ago by ropid on https://www.reddit.com/r/archlinux/comments/6a4qh5/arch_completely_broken_due_to_missing_libssl_and/


" gathered there was a short time window where people could get hit by this because pacman's new package and the library's new package weren't showing up at the exact same time. This weren't a lot of people. Then next, there are a lot of people that run "pacman -Sy" instead of "-S" or "-Syu". That was then the main round of people that had their system break.

People do this "-Sy" stuff because it's occasionally getting recommended by someone, so this idea never dies. It's getting recommended when people ask why they get an error when they try to install a package with "-S name". The error comes from their local database being older than what's in the repos and meanwhile the package they try to install had a newer version. The "-Sy name" fixes it because the database gets synced, and they are happy that the package gets installed."

I think I broke my signing by using pacman -Sy (as per bad advice online) when -Syu didn't work (due to temporary problem with signing keys on upstream arch a few months ago). I got the following error (I pasted this text from "Antergos-keyring is unknown trust [SOLVED]" on a blog, which suggested fixes which didn't solve the problem for me):

error: pamac: signature from "Antergos Build Server (Automated Package Build System) <[email protected]>" is unknown trust :: File /var/cache/pacman/pkg/pamac-4.3.6-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)). Do you want to delete it? [Y/n]

Here are the usual fixes which worked for people where their system wasn't as broken as mine (as per https://forum.antergos.com/topic/7300/pacman-invalid-or-corrupted-packages/5):

sudo pacman-key --init
sudo pacman-key --populate archlinux antergos
sudo pacman-key --refresh-keys
sudo pacman -Syyu

or more drastic fixes at:
https://forum.antergos.com/topic/6984/error-with-antergos-keyring/2
which cites:
https://forum.antergos.com/topic/6962/numix-icon-theme-signature-is-unknown-trust

If your system wasn't broken, normal fixes may include updating archlinux-keyring or clearing the package cache.

I recommend only doing the steps below if the above did not work. These steps I gathered, as a whole, provides the most destructive method (without reinstalling as some people actually suggested), but is the only way that worked for me:

  • First, lower SigLevels (temporarily) as root with your favorite text editor such as nano sudo nano /etc/pacman.conf
  • Change (comment out old line so you can restore them later) the two variables below to:
    #SigLevel = Required DatabaseOptional
    SigLevel = Never
    #LocalFileSigLevel = Optional
    LocalFileSigLevel = Optional TrustAll
  • For each NON-essential package which still gives you a key-error during `pacman -Syu`, remove it:
    sudo pacman -R BROKEN-UNECESSARY-PACKAGE
    (replace BROKEN-UNECESSARY-PACKAGE in the command above with something with key error but not important such as gitkraken in my case; keep a list for yourself for reinstalling them later after getting everything working)
  • For any remaining package which is more important but also gives you a key error, do not remove it, but ignore to force the update to work:
    sudo pacman -Syu --ignore BROKEN-NECESSARY-PACKAGE

    (replace BROKEN-NECESSARY-PACKAGE in the command above with something important with key error such as pamac in my case) which results in a successful system upgrade (if you removed enough packages by repeating the -R step for each package that has a key error other than your ignored one).

  • Stop gpg-agent and dirmngr processes as per https://wiki.archlinux.org/index.php/GnuPG#gpg:_WARNING:_server_.27gpg-agent.27_is_older_than_us_.28x_.3C_y.29 (since trying to do anything further will otherwise result in 'gpg: WARNING: server 'gpg-agent' is older than us'--the error says to run gpgconf with --kill all option but that doesn't resolve error):
    sudo killall gpg-agent dirmngr
  • Now you can reinitialize pacman-key without warnings (but may be useless since we'll recreate it below, but may as well since it may help us install other things before that):
    sudo pacman-key --init
  • The refresh keys command is now broken, so:
    sudo pacman -R antergos-keyring
  • Move and remake gnupg as per https://antergos.com/wiki/uncategorized/update-error-involving-keyrings/ (since otherwise, if you continue you'll get dirmanager error as seen at http://bbs.archlinux.org/viewtopic.php?id=190380):
    sudo mv /etc/pacman.d/gnupg /etc/pacman.d/gnupg.old
    pacman-key --init
  • Now as your system is at this point, you can't populate keys yet without keyring, and can't get keyring via pacman's internal mechanisms without gnupg (may have something do do with RemoteFileSigLevel in pacman.conf but not sure), so to avoid this double bind, manually load the package from the URL:
    sudo pacman -U http://repo.antergos.info/antergos/x86\_64/antergos-keyring-20170524-1-any.pkg.tar.xz

    where 20170524-1 is latest version shown at the repo's html page http://repo.antergos.info/antergos/x86_64/ (change the command above to match the actual filename of the latest version)

  • Now you can continue:
sudo pacman-key --populate archlinux antergos
pacman -Syu
pacman -Syu pamac
  • Then restore the SigLevels such as via sudo nano /etc/pacman.conf again (this time uncomment the original values if you commented them as I suggested, otherwise see my comments in that step above--you can keep the lines you added as but comment those instead, in case you have a similar problem another time)
  • (I also restarted my system at this point just because I'm not sure of what running process may be affected)

In my case, this is the only method that works. Now pacman -Syyu works without errors the next time updates become available (even while pacman.conf has default SigLevels)--to be sure, I waited to post this until the next round of updates became available.

Contributors:

(Visited 131 times, 1 visits today)

Pin It on Pinterest

Share This