Fixing Pacman Errors When Updating Arch Linux After A While

There is a specific error you might get when updating/upgrading the Arch Linux OS after a long break (or sometimes even after a short break if you’re unlucky with the intervals) via sudo pacman -Syu. No worries though. Linux in general and Arch Linux specifically are incredibly robust and repairable systems so there are many different ways to address the issue. Table of Contents
  • Introduction and Pacman Errors
    1. Updating the Archlinux Keyring
    2. Updating the Pacman Mirrorlist
    3. Removing the Pacman Cache Files
    4. Internet restriction and VPN or Hotspot Solutions
    5. Compiling and Installing static-pacman
    6. Booting Via Live Arch Installation USB & Chroot
  • References

The errors thrown by the Arch Linux and its package manager Pacman look something like this:

error: openssl: signature from “Pierre Schmitz <pierre@archlinux.org>” is marginal trust
:: File /var/cache/pacman/pkg/openssl-3.0.7-4-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] Y
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

Starting from the least complicated and the least invasive, here are some solutions to these pacman errors.

Disclaimer: This tutorial is created for journaling & educational purposes only. The author cannot be responsible for any damages due to the guidance provided in this post. Please proceed at your own risk and always keep backups of your files.

1. Update the Archlinux Keyring first

While partial updates aren’t recommended as they can mess up the dependencies, SSL / TSL encryption mechanisms and the sync between packages and the package manager, you can always get away with updating the Archlinux-keyring first. If you haven’t run any updates/upgrades in a while, the update operation might be interrupted due to out of date Archlinux keyring libraries.

You can simply do this by running this following command:

sudo pacman -S archlinux-keyring

After that the keyring will be upgraded all your problems regarding the package signatures and marginal trust might potentially go away. You can try to proceed with a full system upgrade with the following command:

sudo pacman -Syu

If everything goes well, issue is sorted out and you don’t have to follow the following suggestions.

Note about openssl: Openssl package is a dependency of the GNU Core Utilities package: coreutils. In this specific case due to out-of-date archlinux-keyring package, the required version of openssl package can’t be found / appears corrupted and as a result core database cannot be retrieved.

Another way to fix broken keyrings is to update the keyring with these commands:

pacman -S archlinux-keyring
pacman-key --init
pacman-key --populate archlinux
pacman-key --refresh.

If everything goes well, issue is sorted out and you don’t have to follow the following suggestions.

(According to Arch Wiki: this is something you want to do in the chroot of your installation (arch-chroot /mnt))

This section is inspired by Nan Xiao’s post about How to update Archlinux keyring in old systems.

2. Update the Pacman Mirrorlist

You can also try updating the pacman mirrorlist by simply adding anything in the official Arch mirrorlist in the link below to the file in your system in : /etc/pacman.d/mirrorlist.

Here is the mirrorlist link: Arch Pacman Mirrorlist.

After updating the Pacman mirrorlist, you may want to give it a try by attempting the update/upgrade command again.

If it doesn’t work you can try the next step and try this command again.

sudo pacman -Syu

Note about openssl: Openssl package is a dependency of the GNU Core Utilities package: coreutils. In this specific case due to out-of-date archlinux-keyring package, the required version of openssl package can’t be found / appears corrupted and as a result core database cannot be retrieved.

This post is inspired by Nan Xiao’s How to update Archlinux keyring.

3. Removing Pacman cache files

Every time you update your system pacman keeps cache files of the old packages in case there is a need to downgrade. These files take lots of space cumulatively and if they have the wrong version this might be confusing the pacman’s update mechanism as well. Cache files are kept under

/var/cache/pacman/pkg &

/var/lib/pacman.

 

Cache files can be removed by running the following command:

sudo pacman -Sc

You’ll be prompted twice to delete the cache files.

You can then try to update the system with pacman again by running sudo pacman -Syu. There is a way to completely remove ALL cache files including other than other packages as well.

sudo pacman -Scc

Then you will be prompted twice and one of the prompts will have no (N) as default choice so you might want to make sure to enter y (for yes).

Cache directory: /var/cache/pacman/pkg/
:: Do you want to remove ALL files from cache? [y/N]

Database directory: /var/lib/pacman/
:: Do you want to remove unused repositories? [Y/n]

sudo pacman -Syu

4. Internet Restriction & VPN usage

In some rare cases there can be access restriction if you are using restricted internet. Server will return a 403 access denied error. In those cases you know it’s something to do with the internet connection most likely. You will see errors similar to below:

error: failed retrieving file ‘core.db’ from archmirror.it : The requested URL returned error: 403
error: failed retrieving file ‘extra.db’ from archmirror.it : The requested URL returned error: 403
error: failed retrieving file ‘community.db’ from archmirror.it : The requested URL returned error: 403
warning: too many errors from archmirror.it, skipping for the remainder of this transaction

In such cases temporarily connecting to a VPN or a Hotspot and trying to run a system update can also be helpful.

5. Compiling a Static Pacman (pacman-static) from AUR

grep -R  --ignore-case "IMPORT" /

Here is the AUR repository for pacman-static where you can find the git clone URL of pacman-static. Then following this tutorial you can compile the pacman-static:

Once pacman-static is installed, you will be able to update the openssl package or other crucial system packages that need to be repaired. In many cases it’s the openssl package which can be updated / installed with the following command.

sudo pacman-static -S openssl

You can also see the version of your openssl with the following command.

pacman -Q openssl

In the case of partial updates, one important package gets upgraded while others don’t. Since those other system packages depend on the correct version of the upgraded package they will stop functioning properly and it will break the whole system.

Here is the Arch Wiki entry for using pacman-static.

5. Firing Up the Live USB (Arch ISO)

If all fails, it’s still fairly easy to boot with a live Arch Installation USB. It’s also a good idea to always have a Live USB ready for such circumstances. Then you can chroot and install necessary packages to your local installation to solve the more complex issues. It’s probably also a good idea to back up what’s needed at this step while you still can. Here is the command to chroot:

arch-chroot /mnt

Fixing Broken Pacman

If partial upgrades, broken libraries, missing SSL TSL encryption is causing bigger issues, you can follow this procedure:

  • Boot through Arch ISO USB
  • Connect to internet using iwctl
  • mount the broken system on /mnt
  • use pacman –sysroot /mnt … to reinstall/update the broken/outdated packages.
  • Install pacman-static
    • either via AUR as explained above
  • or if system files aren’t working to makepkg/install you can use  extracted binary compiled by official Arch sources.
  • use pacman-static instead of pacman to reinstall or update the broken or outdated packages.

Please note, you will need to mount the necessary system partitions before chrooting to the root of your local installation like above.

Official files and mirrors for Arch Linux can be found here.

References

[1] Arch Wiki: chroot