Installing or upgrading AUR packages with sudo can fail on PGP signature verification
Pamac --version
Pamac 10.4.3-1 - libpamac 11.4.1-1
Variant in use
CLI
Distribution
Manjaro
Desktop environment
XFCE
What's not working
My pamac is setup to work with AUR (EnableAUR
and CheckAURUpdates
in /etc/pamac.conf
), and I have a couple packages from there, e.g. "dropbox" and "tor-browser".
When I run sudo pamac upgrade
, the packages that require additional GPG keys will error out on PGP signature verification:
==> Verifying source file signatures with gpg...
dropbox-lnx.x86_64-162.4.5419.tar.gz ... cat: write error: Broken pipe
FAILED
==> ERROR: One or more PGP signatures could not be verified!
If I run pamac upgrade
without sudo
, the packages upgrade successfully.
How to reproduce?
This happens when installing or upgrading packages, so the simplest way to reproduce is:
sudo gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
sudo pamac install tor-browser
More information (optional)
I run sudo pamac upgrade --no-confirm
from a script periodically.
I do add the projects' keys as per instructions on their AUR pages. I add them to both my user (without sudo) and root (with sudo) keyrings.
I see that even though the use pamac with sudo is discouraged on the forums, it looks to be supported: see here and here
If I check the signatures on the files that get downloaded into /var/cache/pamac/
manually, they check out OK.
There are warnings about the trust for the keys, but the error doesn't go away even if I set the package-signing keys to ultimate trust.
I have disabled DB signatures in /etc/pacman.conf
so that I don't get the random "HTTP 404" garbage as the DB signature files.
So my /etc/pacman.conf
has this:
[options]
SigLevel = Required DatabaseNever