[Solved] 17.02 VirtualBox fails initial update due to corrupted package(PGP signature)

Just installed VirtualBox 5.2 on x64 Windows and downloaded the x64 KDE edition of Manjaro. Install went fine, but there was 143 updates available.

I have seen a few suggestions on similar posts around here such as running this in CLI:

sudo pacman -Syy
sudo pacman -S manjaro-keyring archlinux-keyring pacman-mirrors
sudo pacman-mirrors -f5 && sudo pacman -Syy
sudo pacman -Syu

But the same results still occur:

(143/143) checking keys in keyring                 [###################] 100%
(143/143) checking package integrity               [###################] 100%
error: udiskie: signature from "Ambrevar <ambrevar@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/udiskie-1.7.1-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).

I'm not sure how old the 17.02 iso is from the Manjaro downloads site, but it's probably not good experience for new users to run into this immediately on their first attempt to update the system? I am pretty sure I know how to resolve it as I've had packages in the past where I just need to add trust to key on my system. I usually expect this from AUR packages, and especially not on a fresh install with system packages...

Doing the following as described here fixed the issue:

sudo rm -r /etc/pacman.d/gnupg
sudo pacman -Sy gnupg archlinux-keyring manjaro-keyring
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro 
sudo pacman-key --refresh-keys

The refresh-keys process does take a long time, but could be good to do during installation if the iso was released a while ago or you have some way to verify the keys and do this fix if any are invalid?

1 Like

Really quite old. The images linked from https://manjaro.org/get-manjaro/ are version 17.0.5, so I don't know why anyone would use an older version now...

I'm not sure where I got the 17.02 value from the VM, maybe I had a dyslexic moment and misread 17.05? The iso filename has 17.05, keyring is from 2017-06-03, so still a bit dated and probably why I had the issue?

hi thanks for fix. i had same issue today fresh re-install.

Here's my solution... :grin::grin::grin:


SOLUTION: To work around/correct the problem: "error" "signature from" "is corrupted (invalid or corrupted package (PGP signature))."

sudo pacman-mirrors -g
sudo pacman -Syy
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro

... and...

sudo pacman-key --refresh-keys

... or...

sudo pacman-key --refresh-keys --keyserver="hkps://hkps.pool.sks-keyservers.net"

NOTE: This should access the key servers on port 443 which should go through most firewalls. In my case the "default" URL was not working and I use this URL as a workaround.

Lastly...

sudo pacman -S archlinux-keyring manjaro-keyring

... and repeat...

sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro

... and...

sudo pacman-key --refresh-keys

... or...

sudo pacman-key --refresh-keys --keyserver="hkps://hkps.pool.sks-keyservers.net"

Finally...

sudo pacman-mirrors -g
sudo pacman -Syy

REFERENCE:

Good to know it wasn't just me :slight_smile: Hopefully a future release will cater to avoiding this issue or patch(as in semver) ISO's get pushed out when this happens with updated keyrings(I think that's what the problem is about?). Really not a good thing to run into after install for a distro tailored to be user friendly :stuck_out_tongue:

@kwhali

This is a momentary problem of the Manjaro. Understand that the process of releasing a, truly, free distro is complex and involves many people, especially if we are talking about a rolling release distro. I understand that issues like this are, possibly, one of the costs of the rolling releases distros. This is no different with the Manjaro. I can say that the Manjaro is a truly user-friendly system. But, the quality and the greatness of the Manjaro depends on guys like us willing to give a little of himself to it! I wish you the best! We are happy to have you! :grinning::grinning::grinning::grinning:

1 Like

I'm not entirely familiar with how this type of issue is handled with, I believe the Manjaro team sends out an update for the keyring, which I've seen a few times in the past year I've been using this distro before presented with a full update afterwards.

Is there something in place to notify devs about this type of issue popping up so that a new keyring update is pushed out? It might be possible to automate(but maybe not a good idea to send out without verification due to security concerns).

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by