...is marginal trust... issue

I followed everything in the FAQ but after instaling new keyring, populating and refreshing the isue persists:

Fehler: python-wxpython: signature from "Morten Linderud <morten@linderud.pw>" is marginal trust
:: Datei /var/cache/pacman/pkg/python-wxpython-4.1.1-1-x86_64.pkg.tar.zst ist beschädigt (Ungültiges oder beschädigtes Paket (PGP-Signatur)).
Soll die Datei entfernt werden? [J/n] n
Fehler: Konnte den Vorgang nicht durchführen (Ungültiges oder beschädigtes Paket (PGP-Signatur))
Fehler sind aufgetreten, keine Pakete wurden aktualisiert.

How can I trust signature from “Morten Linderud morten@linderud.pw” ? Or is it better to not trust?

Well, Mr. Linderud is an Arch TU (trusted user). So, if you’re using Arch Linux, it is assumed you trust him, since he is responsible for packaging software you’re using.

1 Like

just see you try all that already :wink:

Which version of gnupg do you have installed? There was a version removed from the testing repo due to a change in how GNUPG processes trust.

1 Like

last resort is to remove all keys and set them back:
https://wiki.archlinux.org/title/Pacman/Package_signing#Resetting_all_the_keys

1 Like

I have gnupg 2.3.1-1 installed. What I have already done:

  1. reinstalling archlinux-keyring
  2. stepped through pacman-key --init; pacman-key --populate archlinux endeavouros; pacman-key --refresh-keys; pacman -Syyu
    … issue persists.

There are no errors importing keys during the refresh-keys run.

After that I tried deleting folder /etc/pacman.d/gnupg followed stepping through 2) of above - but the issue still persists. Pacman does not trust the key which is used for signing python-wxpython. Any further ideas?

EDIT: This is the output for the key of the Arch User which is affected:
gpg --homedir /etc/pacman.d/gnupg/ --list-keys morten.linderud gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis /etc/pacman.d/gnupg’
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
pub rsa4096 2014-09-05 [SC]
C100346676634E80C940FB9E9C02FF419FECBE16
uid [vollständig] Morten Linderud morten@linderud.pw
uid [vollständig] Morten Linderud mcfoxax@gmail.com
uid [ marginal ] Morten Linderud foxboron@archlinux.org
uid [ marginal ] Morten Linderud morten.linderud@fribyte.uib.no
uid [ marginal ] Morten Linderud morten.linderud@student.uib.no
sub rsa4096 2014-09-05 [E]
sub rsa4096 2018-11-13 [S]
sub rsa4096 2018-11-26 [A]`

EDITEDIT:
and this is the output of gpg when I look at the details of the key:
`gpg> list

pub rsa4096/9C02FF419FECBE16
erzeugt: 2014-09-05 verfällt: niemals Nutzung: SC
Vertrauen: unbekannt Gültigkeit: vollständig
sub rsa4096/DF2502D0C726D1C0
erzeugt: 2014-09-05 verfällt: niemals Nutzung: E
Der folgende Schlüssel wurde am 2017-12-03 von RSA Schlüssel 9C02FF419FECBE16 Morten Linderud morten@linderud.pw widerrufen
sub rsa4096/41A82494FF2B717B
erzeugt: 2015-06-03 widerrufen: 2017-12-03 Nutzung: E
sub rsa4096/E742683BA08CB2FF
erzeugt: 2018-11-13 verfällt: niemals Nutzung: S
sub rsa4096/06F6BDC766FCDC53
erzeugt: 2018-11-26 verfällt: niemals Nutzung: A
[vollständig] (1). Morten Linderud morten@linderud.pw
[vollständig] (2) Morten Linderud mcfoxax@gmail.com
[ marginal ] (3) Morten Linderud foxboron@archlinux.org
[ marginal ] (4) Morten Linderud morten.linderud@fribyte.uib.no
[ marginal ] (5) Morten Linderud morten.linderud@student.uib.no`

As you see trust is “unknown” and I think that is the reason why pacman stops upgrading the affected packages.

I just tried and installed the package without a hitch.
Could you try refreshing your mirrors and see if that helps?

I am using “testing” repositories. May that be the cause?

Not sure, but I don’t think it should be.

What version of gnupg do you use? BTW: Refreshing mirrors does noch change anything.

Mine is at 2.2.27-1 on a fully updated system with stable repos.

I think we are approaching. Mine is 2.3.1-1 and I cannot find it yet in any repository - but I do have installed it using normal upgrade processes! How can I obtain information from which reposioiry a locally installed package origins? I try to downgrade and repeat…

That was the issue! Downgrading gnupg solves the issue. But where do I get the buggy version from?? It is not in recent testing repos.

1 Like

That is indeed very odd as gnupg 2.3.1-1 doesn’t seem to be in the Testing.

Here is another one with the same issue:

https://bbs.archlinux.org/viewtopic.php?pid=1972115

Looks like gnupg 2.3.1-1 has been pulled back from Testing.

1 Like

jonathon some posts earlier already mentioned it but I have not given it the neccessary rating… You and jonathan pushed me on the right path. Thank you for all your help!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.