I'm getting an 'invalid or corrupted package (PGP signature)' error which is preventing updates

My updates are getting stuck on polkit-0.119-1-x86_64. The error message is

error: polkit: signature from "Jonas Witschel <diabonas@gmx.de>" is unknown trust
File /var/cache/pacman/pkg/polkit-0.119-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

I chose the default Y, then get

error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

I can’t find any reports of this error. I did find a suggestion in a related error to replace the keyrings, but I’d want to know what’s gone wrong first, if possible.

pacman -Q archlinux-keyring gives archlinux-keyring 20210110-1, in case that helps.

Thanks

Welcome! :partying_face:

You’ll find an answer how to fix here:


@jonathon could probably give you more information on why, but basically it’s package signature mismatch (for whatever reason be it mistake of developer or just key expiration date is out), sometimes it’s keyserver problem…

Those problems are usually very rare, i had it maybe 1 time in 2 years :slight_smile:

2 Likes

Worked a charm, thank you. I’d be interested if anyone does know why this happens. I’m pleased it’s such a simple fix, but was quite surprised when I put the error message into the internet and got no hits at all - I thought “why only me?”

Happened once to me.

It happens when the day of package release and day you ran update the key he/she signed with expired during that time between.

Would make sense if Pacman just said it as such. Just say “Key expired etc”.

Sometimes even if have latest key it can go missing anyway and then just need to use sudo pacman-key --refresh to re-add what was already there.

The file is signed by a key that’s not in your current pacman keyring, so pacman doesn’t know about it. If you update archlinux-keyring then you get the new/updated/missing key and so pacman knows about it.

This normally only ever happens if you haven’t updated your system for a long time - keyrings are normally pushed out weeks before any new keys are used to sign packages.

General advice in that situation is to update archlinux-keyring before other packages (some derivatives patch pacman to include this as a SyncFirst option).

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.