You are not logged in.
- Topics: Active | Unanswered
#1 2026-02-20 19:00:41
- roxdio
- Member
- Registered: 2024-11-20
- Posts: 14
Plans to rebuild packages/get keys signed for "marginal" maintainers?
Apologies if this comes off as overly-demanding, but I'm waiting to upgrade my system but a bunch of packages are signed by a developer who is now considered "marginal trust" due to the departure of one of their key-signers.
I see that this problem has been recognized already and in some cases is being addressed, see https://archlinux.org/todo/rebuild-pack … o-shibumi/ and https://archlinux.org/todo/rebuild-ever … 3dfe2060d/. If I understand correctly, in these cases they are rebuilding the packages while the maintainers are waiting for their keys to be signed.
But this does not include all the maintainers in question, and unfortunately not the one who built the packages that are holding up my upgrade. (At least, according to this https://archlinux.org/master-keys/).
Should I just assume this is being taken care of even if the todo list (https://archlinux.org/todo/) isn't indicating any planned change? Would it be too aggressive to prod the maintainer in question to rebuild their packages?
I suppose I could always either downgrade the archlinux-key-ring or change pacman's trust level, but unless this isn't expected to change in months, I would prefer not to do that. Any suggestions on what to do?
Offline
#2 2026-02-20 20:00:12
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 13,584
Re: Plans to rebuild packages/get keys signed for "marginal" maintainers?
AFAIK, there are no current problems. If you need help with something, see https://bbs.archlinux.org/viewtopic.php?id=57855
Offline
#3 2026-02-20 20:23:14
- roxdio
- Member
- Registered: 2024-11-20
- Posts: 14
Re: Plans to rebuild packages/get keys signed for "marginal" maintainers?
Sorry, maybe I should say before that I am trying to upgrade and get the error:
```
error: intel-gmmlib: signature from "Daniel Bermond <dbermond@archlinux.org>" is marginal trust
:: File /var/cache/pacman/pkg/intel-gmmlib-22.9.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
```
If I look here (https://archlinux.org/master-keys/), I see that the maintainer's key does not have enough signatures.
Trying to upgrade `archlinux-keyring` etc. (as in here https://bbs.archlinux.org/viewtopic.php?id=311763) does not fix it.
Offline
#4 2026-02-20 20:31:07
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 13,584
Re: Plans to rebuild packages/get keys signed for "marginal" maintainers?
That page just hasn't updated, the key has been signed by gromit and should be valid in archlinux-keyring 20260131-1 and newer. What version do you have?
Last edited by Scimmia (2026-02-20 20:33:49)
Offline