EndeavourOS keyring updated, users should update soon

manuel · May 23, 2023, 6:50pm

Today package endeavouros-keyring was updated.

This means users should update this package as soon as possible in order to avoid issues when updating other packages.

Similar to what we have been doing when Arch keyring updates, you should run commands

sudo pacman -Sy endeavouros-keyring
sudo pacman -Syu

Edit 2023.05.28:
Alternatively, you can run command

eos-update

Pudge · May 23, 2023, 6:58pm

What version of endeavouros-keyring is the new one?

sudo pacman -Sy endeavouros-keyring
[sudo] password for don: 
:: Synchronizing package databases...
 endeavouros is up to date
 core is up to date
 extra                                        8.2 MiB  8.35 MiB/s 00:01 [----------------------------------------] 100%
warning: endeavouros-keyring-20230523-1 is up to date -- reinstalling

@manuel if you are going to be out of the EnOS x86_64 github repository for a while, I will go ahead and update the EnOS aarch64 repo with the new keyring.

Pudge

manuel · May 23, 2023, 6:59pm

No problem, go for it!

And it is version 20230523-1.

ricklinux · May 23, 2023, 7:00pm

I think i already have it with normal updating?

[ricklinux@eos-plasma ~]$ sudo pacman -Sy endeavouros-keyring
[sudo] password for ricklinux: 
:: Synchronizing package databases...
 endeavouros is up to date
 core is up to date
 extra is up to date
 multilib is up to date
error: failed retrieving file 'endeavouros.db' from mirrors.gigenet.com : SSL connection timeout
warning: endeavouros-keyring-20230523-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Package (1)                      Old Version  New Version  Net Change

endeavouros/endeavouros-keyring  20230523-1   20230523-1     0.00 MiB

Total Installed Size:  0.01 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n]

manuel · May 23, 2023, 7:01pm

Yeah, normal update should work for now, but later it might not work anymore. That’s why this thread.

Pudge · May 23, 2023, 7:11pm

It is a done deal. EnOS arm aarch64 github repo has the updated keyring.
It is already at the Alpix mirror ready to sync the remaining mirrors.

Pudge

Moppel · May 23, 2023, 9:01pm

Can someone point me to an article where the concept of this keyring is explained and why it is necessary to update it like this?

https://archlinux.org/master-keys/

Seems to be for ppl how know more than I do.

moson · May 23, 2023, 9:34pm

The keyring package contains all (public) GPG keys of the packagers.
Packagers sign their packages with their (private) GPG key.
pacman validates all packages prior to installation if they were signed with any of these “trusted” keys contained in the keyring. (Thus you can be sure a package was built by an “official packager” and it has not been tampered with. A mirror could otherwise serve whatever garbage it wants and you’d install it blindly)

Now if a packager changes their signing keys (or there is a new packager with a new key) and starts signing packages with it, this new key needs to be in the keyring obviously, otherwise pacman will reject installing it. Thus you sometimes need to update the keyring package (to get this new key(s) being trusted) before installing any other packages.

Now that is a very simplified explanation. For more details, see:
https://wiki.archlinux.org/title/Pacman/Package_signing

wordler · May 23, 2023, 11:00pm

Done, thank you @manuel . For anyone confused, just run the suggested two commands, there should be no issues.

swh · May 24, 2023, 10:57am

@manuel thanks for pointing out. Done without any issues

joekamprad · May 24, 2023, 6:25pm

thanks … i was just thinking… may i write some details about what the hell is a keyring ?

From this side of the counter it all looks completely natural and is nothing that surprises us… but from the other side you are handed a colorful cocktail…

hmmmm now i want to write an article about encryption and keys and rings in general…

voryzen · May 24, 2023, 10:53pm

Top notch idea.

There is always the wiki option

Discourse ‘Wiki Post’

However, this news plugin would be cool too, as a way to put information/articles front and foremost

News plugin

jdjohnston · May 25, 2023, 12:00am

@manuel , thanks for the notice. Thanks that EOS welcome pointed out there was new Software News. I find that I very good way to get my attention , especially for someone who spends much time offline

falparsi · May 25, 2023, 6:38am

thank you manuel, thist worked for me. found link to this on the arch (aur) linux package forum.

fr0d0 · May 25, 2023, 10:26am

:: File /var/cache/pacman/pkg/yay-12.0.5-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] y
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

Issue solved. Thank you

Flamewardin · May 26, 2023, 4:19pm

Ran in to a mild issue, thought I’d share just in case anyone else hit it.
Just running yay or sudo pacman -Syu, there was an update for yay and the keyring.

yay failed to update citing corruption or invalid key.
The trick was to run yay, skip the yay update, and allow the keyring update to apply first, then update yay.
I tried all the manual keyring clear and update to no avail, in the end it was, as it usually is, an order of operations issue.

Stagger_Lee · May 26, 2023, 5:18pm

That’s not related to the keyring, so you should open a new topic for your issue.

dad2d9a7 · May 26, 2023, 8:14pm

Personally, I prefer to use the eos-update script for updating. That checks for current keyrings before the system update and does a few other useful things.

This means that most keyring problems do not occur.

LANG=C pacman -Qo "$(type -p eos-update)"
/usr/bin/eos-update is owned by eos-bash-shared 23-19.1

I created an alias for it:

alias eosu='eos-update --yay'

Sharp · May 27, 2023, 1:49am

Done. No issues on my end.