Parabola Keyring

From ParabolaWiki
Jump to: navigation, search
This article is a candidate for merging.
It is suggested that this page or section be merged with Pacman_troubleshooting#Errors_about_Keys. (Discuss)


The Parabola Keyring (parabola-keyring) must be installed on every Parabola system in order to install and upgrade software packages. This key-ring holds cryptographic identification keys of the trusted developers who create the packages in the repositories. Whenever installing or upgrading a package from a package repository (this is the normal operation), the package manager (pacman) first verifies that the signature is recognized and valid. The package will not be installed otherwise. These keys are valid for only a finite period of time; and must be updated occasionally.

Note that pacman will not attempt to verify the authenticity of any packages which are installed directly from the local file-system, or self-made with makepkg. However, those are not the normal methods of installing packages and are unsupported.

1 Errors during package verification

The most common error related to package signatures will be of the form:

error: some-package: signature from "A Packager <a-packager@example.org>" is unknown trust
:: File some-package.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package (PGP signature))

In most cases this can be corrected by refreshing that packager's key, or the entire the key-ring. Note the email address shown in your error message (<a-packager@example.org>, in the example above). If only a smaller number of packagers are shown in the errors, copy the email addresses and run this command:

# pacman-key --refresh-keys a-packager@example.org

Alternatively, you can refresh the entire keyring (it just takes a bit longer):

# pacman-key --refresh-keys

2 Resetting the Parabola Keyring

Sometimes it may be necessary to reset your package trust key-ring. This can happen for several reasons such as:

  • An unexpected system shutdown has caused data loss to the /etc/pacman.d/gnupg directory
  • Your cat did it
  • Computers, storage media, and software are imperfect
  • (Other causes)

This would be manifest by errors while installing or upgrading packages, similar to the example in section 1.

Note: If you installed using one of the automated installers, you can simply run the following command (from the 'parabola-laf' package) to fully restore the keyring:
$ sudo refresh-keys

Below is described the manual process.

You can restore the keyring to the current sane state by running these commands:

 sudo pacman -Scc
 sudo pacman -Syy archlinux-keyring archlinux32-keyring archlinuxarm-keyring parabola-keyring
 sudo pacman-key --init
 sudo pacman-key --populate archlinux archlinux32 archlinuxarm parabola
 sudo pacman-key --refresh-keys

Now try to install those troublesome packages again.

3 pacman-key --populate does not work

In this case /usr/share/pacman/keyrings may be damaged. To recover you will need to reinstall the keyring packages using the Parabola LiveISO.

Once the LiveISO is running on your computer: (where /dev/sdXY are the appropriate drive partitions on your system, ex. /dev/sda1)

sudo mount /dev/sdXY /mnt
sudo pacstrap /mnt archlinux-keyring archlinux32-keyring archlinuxarm-keyring parabola-keyring
sudo killall gpg-agent
sudo umount /mnt/dev
sudo umount /mnt
reboot


If you still have trouble after this procedure, please open a bug report with the errors you see.