Parabola Keyring

From ParabolaWiki
Jump to: navigation, search
This article is a candidate for merging.
It is suggested that this page or section be merged with Pacman_troubleshooting#Errors_about_Keys. (Discuss)


The Parabola Keyring (parabola-keyring) must be installed on every Parabola system in order to install and upgrade software packages. This key-ring holds cryptographic identification keys of the trusted developers who create the packages in the repositories. Whenever installing or upgrading a package from a package repository (this is the normal operation), the package manager (pacman) first verifies that the signature is recognized and valid. The package will not be installed otherwise. These keys are valid for only a finite period of time; and must be updated occasionally.

Note that pacman will not attempt to verify the authenticity of any packages which are installed directly from the local file-system, or self-made with makepkg. However, those are not the normal methods of installing packages and are unsupported.

1 Errors during package verification

The most common error related to package signatures will be of the form:

error: some-package: signature from "A Packager <a-packager@example.org>" is unknown trust
:: File some-package.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package (PGP signature))

In most cases, this is corrected by upgrading the keyring packages first.

armv7h systems:

 $ sudo pacman --needed -Syy archlinux-keyring parabola-keyring archlinuxarm-keyring

i686 systems:

 $ sudo pacman --needed -Syy archlinux-keyring parabola-keyring archlinux32-keyring

x86_64 systems:

 $ sudo pacman --needed -Syy archlinux-keyring parabola-keyring

If the command above did not install any new keyrings ("there is nothing to do "), run this command:

 $ sudo gpg --homedir /etc/pacman.d/gnupg/ --check-trustdb --yes

2 Resetting the Parabola Keyring

Sometimes it may be necessary to reset your package trust key-ring. This can happen for several reasons such as:

  • An unexpected system shutdown has caused data loss to the /etc/pacman.d/gnupg directory
  • Your cat did it
  • Computers, storage media, and software are imperfect
  • (Other causes)

This would be manifest by errors while installing or upgrading packages, similar to the example in section 1, but where the advice in section 1 does not resolve the problem. This is extremely rare. The most probable cause is that one of the keyring packages has become out-dated and must be rebuilt by the Parabola team. If you are certain that is not the case, this crude procedure should resolve the problem.

Crystal important.pngImportant: Try the advice in section 1 first!
Note: If you installed using one of the automated installers, you can simply run the following command (from the 'parabola-laf' package) to fully restore the keyring:
$ sudo reset-keys

Below is described the manual process.

You can restore the keyring to the current sane state by running these commands:

armv7h systems:

 $ sudo pacman -Scc
 $ sudo pacman --needed -Syy archlinux-keyring parabola-keyring archlinuxarm-keyring
 $ sudo mv /etc/pacman.d/gnupg /etc/pacman.d/gnupg-bak
 $ sudo pacman-key --init
 $ sudo pacman-key --populate archlinux archlinuxarm parabola

i686 systems:

 $ sudo pacman -Scc
 $ sudo pacman --needed -Syy archlinux-keyring parabola-keyring archlinux32-keyring
 $ sudo mv /etc/pacman.d/gnupg /etc/pacman.d/gnupg-bak
 $ sudo pacman-key --init
 $ sudo pacman-key --populate archlinux archlinux32 parabola

x86_64 systems:

 $ sudo pacman -Scc
 $ sudo pacman --needed -Syy archlinux-keyring parabola-keyring
 $ sudo mv /etc/pacman.d/gnupg /etc/pacman.d/gnupg-bak
 $ sudo pacman-key --init
 $ sudo pacman-key --populate archlinux parabola

Now try to install those troublesome packages again.

3 pacman-key --populate does not work

In the extremely rare case that /usr/share/pacman/keyrings is damaged beyond repair (eg: pacman can not install any packages), to recover you will need to reinstall the keyring packages using the Parabola LiveISO.

Crystal important.pngImportant: Try the advice in sections 1 and 2 first!

Once the LiveISO is running on your computer, find out what is the logical path to your partition

  1. It may be that your drive is encrypted, in which case, you will have to unlock it first
  2. It may be that you have a logic volume manager (LVM). Please, enable the drives that you need.
  3. Once the (physical, encrypted or logical) drive is ready, you can find out its path with lsblk dummy lsblk output in lxterminal (see below how to launch a terminal emulator to run this command) . For example, you will need /dev/sda1 if you are using the first partition of the first SATA disk drive, or /dev/sdc2 for the second partition (2) of the third disk drive (c). In the following, /dev/sdXY is used, please, change it accordingly.

Now, please,

  1. Hit ALT + F2 to get the applications launcher
    lxlauncher
  2. type lxterminal then press <OK>.
    launching lxterminal
    initial prompt of lxterminal
  3. Update the live system databases
    pacman -Sy
  4. Mount the /dev/sdXY partition
    sudo mount /dev/sdXY /mnt
  5. Remove the keys in your system
    sudo arch-chroot /mnt rm -r /etc/pacman.d/gnupg
  6. Reinstall the keys and reset the keying:
    1. For users with ARM CPU:
      pacman -Sy archlinux-keyring archlinuxarm-keyring parabola-keyring
      pacstrap -c /mnt gnupg archlinux-keyring archlinuxarm-keyring parabola-keyring
      arch-chroot /mnt pacman-key --init
      arch-chroot /mnt pacman-key --populate archlinux archlinuxarm parabola
    2. For users with 32-bit x86 CPU (i686):
      pacman -Sy gnupg archlinux-keyring archlinux32-keyring parabola-keyring
      pacstrap -c /mnt gnupg archlinux-keyring archlinux32-keyring parabola-keyring
      arch-chroot /mnt pacman-key --init
      arch-chroot /mnt pacman-key --populate archlinux archlinux32 parabola
    3. For users with 64-bit x86 CPU (x86-64):
      pacman -Sy gnupg archlinux-keyring parabola-keyring
      pacstrap -c /mnt gnupg archlinux-keyring parabola-keyring
      arch-chroot /mnt pacman-key --init
      arch-chroot /mnt pacman-key --populate archlinux parabola
  7. Cleanly unmount the drive
    killall gpg-agent
    umount /mnt/dev
    umount /mnt
    reboot

If you still have trouble after this procedure, please open a bug report with the errors you see.