Invalid or corrupted package (PGP signature)

manjaro-keyring-201...    45.0 KiB   671K/s 00:00 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
error: manjaro-keyring: signature from "Philip Müller (Called Little) <philm@manjaro.org>" is unknown trust
:: File /var/cache/pacman/pkg/manjaro-keyring-20160416-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

I can't get my updates due to this error and Im not sure whats causing it.

This is on a fresh install

If you have pacli installed, run pacli and choose 'fix error' option (number 13).

If not, you can do it manually also.

This wiki page details how to fix key errors:
https://wiki.manjaro.org/index.php/Pacman_troubleshooting#Errors_about_Keys

4 Likes

I tried 'Fix Errors' and it still is giving me invalid or corrupt PGP key errors..

Okay. Can you try running:

sudo rm -r /etc/pacman.d/gnupg
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro 
sudo pacman-key --refresh-keys 
sudo pacman -Sc

Try updating after that. If that does not work, the package might actually be corrupt.

17 Likes

make sure you have haveged service enabled, else --init step takes hell of a time.
systemctl start haveged

1 Like

Thanks!
It helped :slight_smile:

Here is the list of all known developers for Manjaro:

gpg: key A42D53A2: "Kendell Clark <kendell@manjaro.org>"
gpg: key 8DF53602: "Stefano Capitani <Stefano Capitani <stefano@manjaro.org>"
gpg: key 663CA268: "Bernhard Landauer <oberon@manjaro.org>"
gpg: key B35859F8: "artoo (manjaro.org) <flower_of_life@gmx.net>"
gpg: key 5DCB998E: "artoo <flower_of_life@gmx.net>"
gpg: key AC97B894: "Ramon Buldo <ramon@manjaro.org>"
gpg: key 604F8BA2: "Alexandru Ianu <alexandru@manjaro.org>"
gpg: key 5C0102A6: "Rob McCathie <korrode@gmail.com>"
gpg: key 59152F77: "Roland Singer (Manjaro Linux) <roland@manjaro.org>"
gpg: key 11C7F07E: "Philip Mueller (Called Little) <philm@manjaro.org>"
gpg: key 247B52CC: "Guillaume Benoit (Guinux) <guillaume@manjaro.org>"

You can manually import those keys with

gpg --recv-keys 247B52CC 11C7F07E 59152F77 5C0102A6 604F8BA2 AC97B894 5DCB998E B35859F8 663CA268 8DF53602 A42D53A2
and import them with sudo pacman-key --lsign-key <keyid>. Change <keyidfor the ID you need.

2 Likes

@Chrysostomus
Besides the key problem: Pacli installed from the Community repo version 0.10-1 also installs pacli 0.8-1 from AUR?

1 community/pacli 0.10-1 [installed]
An interactive pacman interface using fzf
2 community/pacli-jwm 0.1-1
an interactive pacman interface using pmenu
3 aur/pacli 0.8-1 [installed: 0.10-1] (8) (1,09)
An interactive pacman interface using fzf
4 aur/pacliner 0.1.2-1 (0) (0,00)
Archlinux package management helper.
5 aur/pacliner-git 0.1.r1-1 (0) (0,00)
Archlinux package management helper.
==> Enter n° of packages to be installed (ex: 1 2 3 or 1-3)
==> -------------------------------------------------------

Is it the yaourt listing that is confusing me? Octopi also indicates that pacli 0.8-1 is installed from AUR

Well that's odd. It should do nothing oof the sort. My guess is that octopi is confuse because the package name is the same. That aur version is just for non manjaro users.

That could be it. Yaourt and Pacaur simply indicate that 0.10-1 is installed.

it will show you that pacli is installed from aur (on your screenshot) because you have the alien selected when you do your search and that pacli exist on aur.

if you search pacli without the alien it should tell you wich repos (community or AUR)

and octopi don't really know if it's AUR or not. it will tell AUR for all "foreign" package. that does not exist in manjaro repos.
ex: local package. or package downloaded manualy.

pacli does exist in AUR but Octopi is not in the habit of marking them as installed simply because they exist.

I have never installed pacli from AUR so - alien or not - it should not be marked as an obsolete install.
But that might be the explanation.

Without the Alien/AUR I only see the installed Community version so that indication is OK.

with octopi,
if the alien is selected. it only check/work with AUR.
so all installed package if they exist on AUR will be compared with the AUR version.

to see the state of the package. never check with the alien. it will show you the correct state as it know from where the package got installed. repos or foreign.

just have a doubt about if you installed an aur package because it's an older version or newer one than in the repos. and kept the same name

I have never installed pacli before. I removed that package with Octopi and it removed the package I had installed from Community.
Reinstalling it from Community makes that AUR outadet install re-appear.

So it seems to be an Octopi issue.

I told you. if the alien is selected. it's just usefull to search/install package from AUR.
without it selected. it will show you all installed package even the one from AUR.

with the alien selected. all "search" version check is done with AUR. octopi tell you that the version of AUR is different from the one you installed. it don't care from where it was installed.

it's the same if you install a "test" package with pacman -U even it doesn't come from the same repos as it's a foreign package. octopi will compare the version with the repos and tell you the difference.

You misunderstand.
The problem is that Octopi indicates that pacli version 0.8-1 is installed (I know how Octopi searches.) when AUR only is searched.

What I in fact did install was pacli 0.10-1 from Community.

on your screenshot it tell you that your installed version is newer than AUR. not that the installed version is 0.8-1
otherwise you would see a red icon not this orange exclamation.
the version showed is always the repos/AUR one and the one between the () is the installed version

Ah yes it is newer - my bad - I confused it with the red one. Looks like Octopi is doing its job afterall. Sorry!

No problems. we can be quickly confused when we use different software that do the same job but don't have the same philosophy/way to show informations to the user. :wink:

Thank god this was out here! I was having the exact same problem.

Forum kindly sponsored by