How to fix signature is unknown trust on Arch Linux

My continued love/hate relationship with Arch Linux continually yields topics to
blog about. This week’s topic reared it’s head while attempting to perform an
update after waiting a bit longer than I usually do, which yielded an error
about one or more of the keys being “of unknown trust”.

Like most of my Arch Linux dilemmas, I’m not entirely sure what caused this one. I suspect a key changed and perhaps the way I was running the update wasn’t properly updating the keys as one would have expected to happen first.

Regardless, the error looks something like this (the names, emails and packages have been changed to protect the innocent):

error: some-package: signature from "Some Person email@some.domain" is unknown trust
:: File /var/cache/pacman/pkg/some-package-0.1.2-3-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.
-> error installing repo packages

Having run into GPG key issues with Arch in the past, my path of least
resistance is to refresh the keys. Keep in mind, this method does take a few
minutes to run:

% sudo pacman-key --refresh-keys

That command will scroll by for a bit, doing it’s thing to refresh the keys.
Once it’s complete, you can reattempt running an update and/or installing a
package, or whatever command you had previously run that produced the error.

Josh Sherman - The Man, The Myth, The Avatar

About Josh

Husband. Father. Pug dad. Musician. Founder of Holiday API, Head of Engineering and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.

If you found this article helpful, please consider buying me a coffee.