Black arch Linux repository package signing failed and tried other ways but no use

Linux and Unix-Like
1

Hi I am Rupesh from India and I have a system with Intel i3 10th gen 10100 processor and Asus prime H510 me motherboard. I have installed black arch Linux which is based on arch Linux two months back. I am using this same distribution since 1.5 years and there is no major issues. Today package signing failed.

Actually I have installed os two months back and updating regularly using the following command

sudo pacman -Syu

The above command worked fine upto now by syncing package database and fetching packages and finally installing downloaded packages but today all the packages from arch Linux repository are fetched and installed but I got error as

blackarch: signature from ... is unknown trust

error: failed to synchronize all databases (invalid or corrupted database (PGP signature))

Upon getting the above error I have removed all the files and directories from

/etc/pacman.d/gnupg and

/var/lib/pacman/sync

After that I have issued the following commands

sudo pacman-key --init

sudo pacman-key --populate

sudo pacman -Syu

Actually upon doing the above generally all the issues related to packages can be fixed but instead I am getting the same errors as previous.

I am providing the output of the above commands below

[ Rupesh ~ ]$ sudo pacman-key --init
[sudo] password for build:       
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/C38E014E4B1A789A12C12ECCD6900FF894022848.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
[ Rupesh ~ ]$ sudo pacman-key --populate 
==> Appending keys from archlinux.gpg...
==> Appending keys from blackarch.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 10 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
  -> Disabled 42 keys.
==> Updating trust database...
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  10  signed:  97  trust: 0-, 0q, 0n, 10m, 0f, 0u
gpg: depth: 2  valid:  75  signed:  21  trust: 75-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-12-31
[ Rupesh ~ ]$ u
[ Rupesh ~ ]$ sudo pacman -Syyu
:: Synchronizing package databases...
 core                  129.4 KiB  49.6 KiB/s 00:03 [######################] 100%
 extra                   8.3 MiB  1770 KiB/s 00:05 [######################] 100%
 community              45.0   B  23.0   B/s 00:02 [######################] 100%
 multilib              139.6 KiB  51.7 KiB/s 00:03 [######################] 100%
 blackarch               4.0 MiB   453 KiB/s 00:09 [######################] 100%
error: blackarch: signature from "Levon 'noptrix' Kayan (BlackArch Developer) <noptrix@nullsecurity.net>" is unknown trust
error: failed to synchronize all databases (invalid or corrupted database (PGP signature))
[ Rupesh ~ ]$

May I know what is the meaning of weak key signatures

After issuing sudo pacman-key --populate I even issued the following

sudo pacman-key --populate --allow-weak-key-signatures

But I got error as option --allow-weak-key-signatures not found.

Here another issue is whenever I try to install a new package I am getting same error as signature from ... is unknown trust. So I can't do anything.

Kindly try to suggest how to upgrade my system and install new packages properly without any errors.

Regards,
Rupesh.

2

you may need to update the keyring (no guarantee this will address the gpg issue specifically!)

sudo pacman -Sy archlinux-keyring

4

No use

5

@rupeshforu3 , show the actual command lines run along with the actual output produced, saying
'After issuing sudo pacman-key --populate I even issued the following
sudo pacman-key --populate --allow-weak-key-signatures
But I got error as option --allow-weak-key-signatures not found.'

is inferior to the actual command input/output - as they will convey concisely the information being asked for !

7

gpg is effectively telling you that signatures generated using the SHA1 method are 'weak' (not secure), if you MUST use them then
enable that by using --allow-weak-key-signatures option on the command line. for details wrt the vulnerabilities around SHA1 generated keys you'll need to do some research.

8

I have provided what you asked already but you have not seen and so I am providing the same output below

[ Rupesh ~ ]$ sudo pacman-key --init
[sudo] password for build:       
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/etc/pacman.d/gnupg/openpgp-revocs.d/C38E014E4B1A789A12C12ECCD6900FF894022848.rev'
gpg: Done
==> Updating trust database...
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
[ Rupesh ~ ]$ sudo pacman-key --populate 
==> Appending keys from archlinux.gpg...
==> Appending keys from blackarch.gpg...
==> Locally signing trusted keys in keyring...
  -> Locally signed 10 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
  -> Disabled 42 keys.
==> Updating trust database...
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:  10  signed:  97  trust: 0-, 0q, 0n, 10m, 0f, 0u
gpg: depth: 2  valid:  75  signed:  21  trust: 75-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-12-31
[ Rupesh ~ ]$ u
[ Rupesh ~ ]$ sudo pacman -Syyu
:: Synchronizing package databases...
 core                  129.4 KiB  49.6 KiB/s 00:03 [######################] 100%
 extra                   8.3 MiB  1770 KiB/s 00:05 [######################] 100%
 community              45.0   B  23.0   B/s 00:02 [######################] 100%
 multilib              139.6 KiB  51.7 KiB/s 00:03 [######################] 100%
 blackarch               4.0 MiB   453 KiB/s 00:09 [######################] 100%
error: blackarch: signature from "Levon 'noptrix' Kayan (BlackArch Developer) <noptrix@nullsecurity.net>" is unknown trust
error: failed to synchronize all databases (invalid or corrupted database (PGP signature))
[ Rupesh ~ ]$
9

@rupeshforu3 , repeating your post is not helpful (please don't repeat
it.), I'm attempting to help, posting snide comments is not helpful either. If I have made an error in reading/questions-ask - simply state that, tks. Its always superior to post commands and subsequent output generated by those when seeking assistance, they can be embellished with commentary after but they are nearly always the best starting point..

where is the output from the 'sudo pacman-key --populate --allow-weak-key-signatures' - in either posts

where is the output from the suggested
sudo pacman -Sy archlinux-keyring

you may want to go to specific blackarch site for assistance - FAQ | BlackArch Wiki - they mention invalid keyring signature and how to obtain latest blackarch update.

tks

1 Like
12

Hi I have sent mail to black arch Linux developer mailing list and they suggested to visit below page

13

@rupeshforu3, let the community know if any of the faq/troubleshooting suggestions off of those pages solve your issue - seems to be impacting a few users.

tks

14

Hi at present my system is working fine and so I will wait for 10 days so that any bug in gpg may get resolved and after that I will do real update.

15

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.