Error signature during a BlackArch update.
kheIdar opened this issue · 25 comments
I encountered an error during a BlackArch update, and I can't find the solution:
sudo pacman -Syu
error: blackarch: signature from 'Levon 'noptrix' Kayan (BlackArch Developer) noptrix@nullsecurity.net' is unknown trust
:: Synchronizing package databases...
core is up to date
extra is up to date
multilib is up to date
blackarch 4.0 MiB 1228 KiB/s 00:03 [####################################] 100%
error: blackarch: signature from 'Levon 'noptrix' Kayan (BlackArch Developer) noptrix@nullsecurity.net' is unknown trust
error: failed to synchronize all databases (invalid or corrupted database
If someone can help me, thank you.
I already tried, but it didn't solve my problem.
same problem since yesterday, a few days ago i did the same installation and everything goes ok.
i tryed: https://blackarch.org/faq.html
sudo rm -rf /etc/pacman.d/gnupg/
# pacman-key --init pacman-key --populate
checking timedatectl. its ok, cache cleared,
tryed install it from git,following all them instructions, using a mirror. Any ideas?
sudo pacman -S blackarch-keyring && sudopacman -Syu?
Also check the previous 20 similar issues: https://github.com/BlackArch/blackarch/issues?q=is%3Aissue+error%3A+blackarch%3A+signature+from+%27Levon+%27noptrix%27+Kayan+%28BlackArch+Developer%29
sudo pacman -S blackarch-keyring && sudopacman -Syu?Also check the previous 20 similar issues: https://github.com/BlackArch/blackarch/issues?q=is%3Aissue+error%3A+blackarch%3A+signature+from+%27Levon+%27noptrix%27+Kayan+%28BlackArch+Developer%29
i think i fixed it going in pacman.conf and putting SigLevel = Required DatabaseOptional TrustAll. im at start of my way so im a bit ignorant, that dont gonna make it a future problem? thanks alot for the answers, i was here for like 15 hours testing everything i could find around, almost getting more mad than i m
thx Schimi6, i fixed with your comment
https://wiki.archlinux.org/title/Pacman/Package_signing#Configuring_pacman
TrustAll just disable any signature verification, that's dangerous and not the proper solution.
you sure it's not a dead mirror like #3939 (comment)
I imagine that this is not the best solution, but I haven't found a better one yet. Yes, I have tried mirrors, but no results.
same problem here, after system upgrade pacman is broken, i try many solution but nothing work only @Schimi6 solution for now. any ideas?
Temporary fix if you really want to update (possibly has problems) is to skip blackarch packages by commenting inside the pacman.conf:
#[blackarch]
#Include = /etc/pacman.d/blackarch-mirrorlist
Hopefully a proper solution is found.
i tried changing mirrors and removing blackarch.db.sig file still no improvement, still getting same error
Same problem over here. Alredy ask in Reddit if someone can help.
So I've found a pseudo fix for myself. (No pun intended lol) I've used a combination of the FAQ from the Blackarch website, 3939, and an attempted local key sign.
sudo pacman-key --recv-keys F9A6E68A711354D84A9B91637533BAFE69A25079 && sudo pacman-key --lsign-key F9A6E68A711354D84A9B91637533BAFE69A25079
The above takes the signature associated with the "noptrix" key and locally signs it. I know in some cases this might not work, but I was able to get it to work after I ran the FAQ and played around with the mirrors.
This however is a band aid fix because I find every time I restart the machine the key has to be re-signed.
I get this out put when running the following command before running the key sign:
gpg --homedir /etc/pacman.d/gnupg --list-keys | grep nop
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg'
gpg: Note: trustdb not writable
uid [ full ] Levon 'noptrix' Kayan (BlackArch Master) <noptrix@nullsecurity.net>
uid [ unknown] Levon 'noptrix' Kayan (BlackArch Developer) <noptrix@nullsecurity.net>
After the key sign:
gpg --homedir /etc/pacman.d/gnupg --list-keys | grep nop
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg'
gpg: Note: trustdb not writable
uid [ full ] Levon 'noptrix' Kayan (BlackArch Master) <noptrix@nullsecurity.net>
uid [ full ] Levon 'noptrix' Kayan (BlackArch Developer) <noptrix@nullsecurity.net>
The developer key seems to be giving me the issue, and won't seem to stick. I'm still a noob at this so I'm not sure if this will help anyone. ¯_(ツ)_/¯
So I've found a pseudo fix for myself. (No pun intended lol) I've used a combination of the FAQ from the Blackarch website, 3939, and an attempted local key sign.
sudo pacman-key --recv-keys F9A6E68A711354D84A9B91637533BAFE69A25079 && sudo pacman-key --lsign-key F9A6E68A711354D84A9B91637533BAFE69A25079The above takes the signature associated with the "noptrix" key and locally signs it. I know in some cases this might not work, but I was able to get it to work after I ran the FAQ and played around with the mirrors.
This however is a band aid fix because I find every time I restart the machine the key has to be re-signed.
I get this out put when running the following command before running the key sign:
gpg --homedir /etc/pacman.d/gnupg --list-keys | grep nop gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg' gpg: Note: trustdb not writable uid [ full ] Levon 'noptrix' Kayan (BlackArch Master) <noptrix@nullsecurity.net> uid [ unknown] Levon 'noptrix' Kayan (BlackArch Developer) <noptrix@nullsecurity.net>After the key sign:
gpg --homedir /etc/pacman.d/gnupg --list-keys | grep nop gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg' gpg: Note: trustdb not writable uid [ full ] Levon 'noptrix' Kayan (BlackArch Master) <noptrix@nullsecurity.net> uid [ full ] Levon 'noptrix' Kayan (BlackArch Developer) <noptrix@nullsecurity.net>The developer key seems to be giving me the issue, and won't seem to stick. I'm still a noob at this so I'm not sure if this will help anyone. ¯_(ツ)_/¯
ok
Thanks @0xBroth, works for me!
Easiest thing to do right now until there is a fix, is to downgrade to gnupg 2.2.41-2 since the issues are with 2.4.
pacman -U https://archive.archlinux.org/packages/g/gnupg/gnupg-2.2.41-2-x86_64.pkg.tar.zst
rm -rf /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate archlinux blackarch
pacman-key --update --keyserver keyserver.ubuntu.com
When running system updates, use the --ignore flag to exclude gnupg or ignore gnupg in your pacman.conf file.
Example 1
Temporarily ignore the package during system update.
pacman -Syu --ignore gnupg
Example 2
Permanently ignoring the package.
sed -i '/IgnorePkg/ s/^#//; /IgnorePkg/ s/$/ gnupg/' /etc/pacman.conf
If the issue is related to gnupg version, why the only broken signing key is only the noptrix one while the other AL keys are working as expected?
If the issue is related to gnupg version, why the only broken signing key is only the noptrix one while the other AL keys are working as expected? @D3vil0p3r
Thanks to @anunna
When using 'gnupg=2.4.3-2',it outputs (Notice that third-party key signatures using the SHA1 algorithm are rejected):
sudo pacman-key --populate archlinux blackarch
==> Appending keys from archlinux.gpg...
==> Appending keys from blackarch.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signed 9 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
-> Disabled 44 keys.
==> Updating trust database...
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 9 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 9 signed: 97 trust: 0-, 0q, 0n, 9m, 0f, 0u
gpg: depth: 2 valid: 72 signed: 21 trust: 72-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-01-21And when using gnupg=2.2.41-2, it outputs:
sudo pacman-key --populate archlinux blackarch
==> Appending keys from archlinux.gpg...
==> Appending keys from blackarch.gpg...
==> Locally signing trusted keys in keyring...
-> Locally signed 9 keys.
==> Importing owner trust values...
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: inserting ownertrust of 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
gpg: setting ownertrust to 4
==> Disabling revoked keys in keyring...
-> Disabled 44 keys.
==> Updating trust database...
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 9 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 9 signed: 100 trust: 0-, 0q, 0n, 9m, 0f, 0u
gpg: depth: 2 valid: 75 signed: 28 trust: 75-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2024-01-21It works well! And then you can pacman -Syu as before.
So I think its the reason noptrix's key uses the algorithm that gnupg does not accept anymore in recent update.
And a small tip:
You need do this in pacman.conf first before downgrade:
#[blackarch]
#Include = /etc/pacman.d/blackarch-mirrorlist
then run downgrade and add it to IgnorePkg:
$ downgrade 'gnupg=2.2.41-2'And follow this issue. Hopefully it'll be fixed soon.
I can reproduce the same. Thank you @lilian-lilifox . Apart the workaround, the problem remains for new BlackArch system installation and for BA docker container generation. I hope this issue will be fixed soon.
Thanks for this @lilian-lilifox I've let noptrix know and see if we can get his key updated in the keyring.
I do however, for interest, have other issues on my system with 2.4.3 where I am unable to generate new gpg keys and some packages are unable to install via AUR. Mostly packages that install keys, etc., which may also be victim to weak keys but that's a different conversation.
I to am having this issue. Has there been any updates on this yet?
A new strap.sh was released today. You may want to look into this.
https://blackarch.org/downloads.html#install-repo
A new strap.sh was released today. You may want to look into this. https://blackarch.org/downloads.html#install-repo
this fixed everything, good news for all of us!
New strap.sh works on a pre-installed machine.
Instructions to fix gpg issue
curl -O https://blackarch.org/strap.sh
chmod +x strap.sh
./strap.sh
sudo ./strap.sh
sudo pacman -Syu