Pacman-Key init keeps failing

While investigating the root cause of [SOLVED] Corrupted gpg.conf & empty keyring I have found this wierd behaviour:

# I have inserted here manually corrected options for gpg.conf
$ sudo cat /etc/pacman.d/gnupg/gpg.conf
keyserver-options timeout=10
keyserver-options auto-key-retrieve

# running INIT
$ sudo pacman-key --init
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:3: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:3: invalid option
==> Updating trust database...
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:3: invalid option
==> ERROR: Trust database could not be updated.

# INIT fails because of a corrupted gpg.conf file 
$ sudo cat /etc/pacman.d/gnupg/gpg.conf
on-warning                                          # this appears to be the no-permission-warning added during initialize() bash function
keyserver-options auto-key-retrieve
keyserver                   # on previous tests this line was transformed into _servers.net_

$ pacman-key --version
pacman-key (pacman) 5.0.2
$ pacman -Qs libreadline
local/readline 7.0.003-1
   GNU readline library

Sounds like an issue related to a .pacnew file.

This is one reason why deleting /etc/pacman.d/gnupg and running pacman-key --init can fix some issues.

Moved /etc/pacman.d/gnupg to backup /etc/pacman.d/gnupg.bak, proceeded as instructed further:

$ sudo mv /etc/pacman.d/gnupg /etc/pacman.d/gnupg.bak
$ sudo pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
==> Updating trust database...
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
==> ERROR: Trust database could not be updated.

$ sudo cat /etc/pacman.d/gnupg/gpg.conf 
keyserver-options timeout=10

Please help, @jonathon :slight_smile: !

It says these two options are not valid. You sure these options work? What does the gpg man page say about them?
The one I found online, does not mention does options at all.

The second line there is malformed. Something very odd is going on if the file is not being created correctly.

1 - Do you have sufficient free space?

2 - Has your pacman install changed from the packaged version:

pacman -Qkk pacman


Fixed pacman-keys with the /etc/pacman.d/gnupg/gpg.conf file from another computer running a Manjaro-based distro:

$ cat /etc/pacman.d/gnupg/gpg.conf
keyserver hkp://

keyserver-options timeout=10

^^^ So far this GPG.conf is stable and works for me.

So, my conclusion is this: if pacman-keys --init finds an invalid config (don't know yet what that means!) then it attempts to fix it and overwrites its own config with another invalid config. Example of config that gets mangled:

keyserver-options timeout=10
keyserver hkp://  # becomes
keyserver-options auto-key-retrieve

I am not quite sure what to do with the pacman.conf and its backup file:

$ pacman -Qkk pacman
backup file: pacman: /etc/pacman.conf (Modification time mismatch)
backup file: pacman: /etc/pacman.conf (Size mismatch)
pacman: 354 total files, 0 altered files

So where should I find pacman.pacnew and pacman.pacsave? for sure they are missing from /etc!

Looks like /etc/pacman.d/gnupg is generated by pacman-key --init so the specific files won't be present in a package. Looking through the source, it looks like this bit of pacman-key takes care of setting up the defaults:

initialize() {
	local conffile keyserv
	# Check for simple existence rather than for a directory as someone
	# may want to use a symlink here
	[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}"

	# keyring files
	[[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg
	[[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg
	[[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || "${GPG_PACMAN[@]}" --update-trustdb
	chmod 644 ${PACMAN_KEYRING_DIR}/{pubring,trustdb}.gpg
	chmod 600 ${PACMAN_KEYRING_DIR}/secring.gpg

	# gpg.conf
	[[ -f $conffile ]] || touch "$conffile"
	chmod 644 "$conffile"
	add_gpg_conf_option "$conffile" 'no-greeting'
	add_gpg_conf_option "$conffile" 'no-permission-warning'
	add_gpg_conf_option "$conffile" 'lock-never'
	add_gpg_conf_option "$conffile" 'keyserver' "$keyserv"
	add_gpg_conf_option "$conffile" 'keyserver-options' 'timeout=10'

	# set up a private signing key (if none available)
	if [[ $(secret_keys_available) -lt 1 ]]; then

This means the default configuration should contain those five lines: no-greeting, no-permission-warning, lock-never, keyserver "$keyserv", keyserver-options timeout=10.

Given pacman-key is a BASH script, you can insert set -x after the shebang (#!/bin/bash) at the top and run a pacman-key --init to see what it's doing.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by