[SOLVED] Corrupted gpg.conf & empty keyring

Hello,

Something appears to be wrong with GPG / pacman-key --init:

$ cat /etc/pacman.d/gnupg/gpg.conf
keyserver-options timeout=10
keyserver-options auto-key-retrieve

$ sudo pacman-key --init
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:3: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:3: invalid option
==> Updating trust database...
gpg: /etc/pacman.d/gnupg/gpg.conf:2: invalid option
gpg: /etc/pacman.d/gnupg/gpg.conf:3: invalid option
==> ERROR: Trust database could not be updated.
bogdanbiv@desk14 ~ $ cat /etc/pacman.d/gnupg/gpg.conf
keyserver-options timeout=10
ervers.net
ptions auto-key-retrieve

But also as a normal user creating a new signature results with a nasty error: The trustdb is corrupted

$ gpg --full-gen-key
gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
Requested keysize is 2048 bits
Please specify how long the key should be valid.
Key is valid for? (0) 1y
GnuPG needs to construct a user ID to identify your key.
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: lookup_hashtable failed: Unknown system error
gpg: trustdb: searching trust record failed: Unknown system error
gpg: Error: The trustdb is corrupted.
gpg: You may try to re-create the trustdb using the commands:
gpg: cd ~/.gnupg
gpg: gpg --export-ownertrust > otrust.tmp
gpg: rm trustdb.gpg
gpg: gpg --import-ownertrust < otrust.tmp
gpg: If that does not work, please consult the manual
gpg --export-ownertrust > otrust.tmp #### -> no errors here, otrust.tmp is empty,
_____________________________# trustdb.gpg appear to be also empty, at 40 Bites!!!

Also it appears that after refresh-keys / init command is executed I cannot install or update any package. The trust check is broken because installing new keys requires validating the downloaded packaged keys and there is no key to validated them.

sudo pacman-key --refresh-keys -> 89 signatures not checked due to missing keys
sudo pacman-key --populate manjaro
==> Appending keys from manjaro.gpg...
key 5BD96CC4247B52CC:
1 signature not checked due to a missing key

$ sudo pacman -Sy archlinux-keyring manjaro-keyring
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
multilib is up to date
warning: archlinux-keyring-20171020-1 is up to date -- reinstalling
warning: manjaro-keyring-20171027-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (2) archlinux-keyring-20171020-1 manjaro-keyring-20171027-1

Total Download Size: 0.71 MiB
Total Installed Size: 0.98 MiB
Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n]
:: Retrieving packages...
archlinux-keyring-20171020-1-any 619.3 KiB 18.3M/s 00:00 100%
manjaro-keyring-20171027-1-any 103.8 KiB 33.8M/s 00:00 100%
(2/2) checking keys in keyring 100%
downloading required keys...
error: key "A6234074498E9CEE" could not be looked up remotely
error: key "CAA6A59611C7F07E" could not be looked up remotely
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.
It seems that I am locked out of the update system.

You may need to use the "nuclear option":

sudo rm -fr /etc/pacman.d/gnupg
sudo pacman-key --init
sudo pacman-key --populate archlinux manjaro
sudo pacman-key --refresh-keys
1 Like

Somehow update / install work now - still investigating the root cause!

UPDATE:
Here are the steps that I have performed (from bash_history, some pieces may be missing), useful for future reference:

sudo pacman -Sy archlinux-keyring manjaro-keyring # which one of these caused problems?
sudo pacman-key --refresh-keys  # which one of these caused problems?
sudo pacman-key --populate archlinux  # which one of these caused problems?

sudo pacman-key --import ./little.gpg 
sudo pacman-key -a ./little.gpg 
sudo pacman-key -a ./hesse.gpg 
sudo pacman -Sy archlinux-keyring manjaro-keyring
sudo pacman-key --edit-key
sudo pacman-key --edit-key E4CDFE50A2DA85D58C8A8C70CAA6A59611C7F07E  # edit keys fully trust both keys
sudo pacman-key --edit-key 02FD1C7A934E614545849F19A6234074498E9CEE # edit keys fully trust both keys
sudo pacman -Sy archlinux-keyring manjaro-keyring
sudo pacman-key --refresh-keys
sudo pacman-key --init    # actually this is the _ROOT_ of the issue
sudo vim /etc/pacman.d/gnupg/gpg.conf
sudo pacman-key --populate archlinux manjaro
sudo pacman-key -Syu
sudo pacman -Syu

So I have downloaded the keys manually, i have imported them manually (both operations are missing from this log). The part I was critically missing after import was that both keys had unknown trust levels, after editing to fully trust both keys I was able to install all other keys for Manjaro / Arch keyrings.

Also marking this as [SOLVED], since my system is working fine now and I don't know how to test this further... perhaps I should reproduce this in a VM/container?

UPDATE2:
The cause seems that pacman-key --init causes /etc/pacman.d/gnupg/gpg.conf to become mangled. On top of that, when performing KEY refresh it fails because of the mangled gpg.conf and that causes the chicken and the egg cycle for the system update.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by