MSYS2-packages: error: XXXX : signature from "David macek " is invalid

For what it’s worth, even after applying all the solutions proposed here, it may help to upgrade the keyring package (pacman -S msys2-keyring) before doing the full upgrade.

then pacman-key --refresh might help

What worked for me was:

1. running pacman -Syu to update the package database and base packages as msys2 install manual instructs in point 5

2. updating the keyring package as @samhocevar proposed

3. Then resetting pacman keystore as @hamlibdk proposed

4. Then upgrading all the packages with pacman -Syuu

Ran into this today too. What finally worked for me was:

rm -rf /etc/packman.d/gnupg
pacman-key --init
pacman -S msys2-keyring
pacman-key --populate msys2
pacman -Syu

** * A WORK AROUND * **

I have a work-around - that being to Disable Signature Checking (ref: ) that appears to make the environment function again… However, I would recommend the following procedure FIRST (ref: https://www.msys2.org/news/ )

Stage 1: From https://www.msys2.org/news/

If you still see signature errors, resetting your pacman key store might help:

# rm -r /etc/pacman.d/gnupg/
# pacman-key --init
# pacman-key --populate msys2

Stage 2: https://wiki.archlinux.org/index.php/Pacman/Package_signing

Disabling signature checking

Warning: Use with caution. Disabling package signing will allow pacman to install untrusted packages automatically. If you are not concerned about package signing, you can disable PGP signature checking completely. Edit /etc/pacman.conf and uncomment the following line under [options]:

SigLevel = Never

You need to comment out any repository-specific SigLevel settings too because they override the global settings. This will result in no signature checking, which was the behavior before pacman 4. If you decide to do this, you do not need to set up a keyring with pacman-key. You can change this option later if you decide to enable package verification.

From what I understand from pacman-key, I suggest the following:

And always first understand what you are doing: pacman-key --help … -d, --delete Remove the specified keyids … -l, --list-keys List the specified or all keys …

1.- Run pacman-key -l 2.- Verify you have a key for “David macek” that is expired and another that is valid. 2.1.- Take note or copy the expired key for example, let’s say KEYTOREMOVE is the expired key. 3.- Remove the expired key pacman-key -d KEYTOREMOVE

After doing this verify you can install pacman packages signed by “David macek…” signature without issues.

I tried pacman-key --refresh and although it said the same thing, subsequent updates worked (the next update reported the same error but proceeded anyway and the update after that didn’t have the error at all).

Can you see if the same is true in your situation?

I have an old machine and the official instructions did not worked (it may be because I did not run pacman -Syu with -y, I have my system running tests and doing an upgrade would break my ssh and bash). I used this instead:

It seems that now pacman uses the format zst:

1. curl -O http://repo.msys2.org/msys/x86_64/pacman-mirrors-20210902-1-any.pkg.tar.zst (https://www.msys2.org/news/#2020-06-29-new-packagers), I just downloaded the lasted key file I found on http://repo.msys2.org/msys/x86_64/
2. tar -I zstd -xvf pacman-mirrors-20210902-1-any.pkg.tar.zst -C / or pacman -U pacman-mirrors-20210902-1-any.pkg.tar.zst (https://stackoverflow.com/questions/45355277/how-can-i-decompress-an-archive-file-having-zst-or-tar-zst)

Fix the error error: libevent-devel: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust (https://github.com/msys2/MSYS2-packages/issues/2343#issuecomment-941815336)

1. pacman -Syu (and cancel upgrade with n)
2. rm -rf /etc/packman.d/gnupg
3. pacman-key --init
4. pacman -S msys2-keyring
5. pacman-key --populate msys2
6. Now pacman -S package-name is working again and not failing anymore with:

   $ pacman -S libevent
   error: mingw32: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
   error: mingw64: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
   error: msys: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
   error: database 'mingw32' is not valid (invalid or corrupted database (PGP signature))
   error: database 'mingw64' is not valid (invalid or corrupted database (PGP signature))
   error: database 'msys' is not valid (invalid or corrupted database (PGP signature))
   

I now successful followed the instructions given here https://www.msys2.org/news/#2020-06-29-new-packagers

and can update and install new packages.

it may help to upgrade the keyring package (pacman -S msys2-keyring) before doing the full upgrade.

I did this as a first thing and it helped, thx

For those of us who has had this “pacman error: … : signature from … is unknown trust” problem for a long time. There is likely an additional issue of pacman-key calling an invalid keyserver. The fix is to run pacman-key with an explicit keyserver option:

$ pacman-key --keyserver keyserver.ubuntu.com --refresh-keys

after running:

$ pacman -U msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz

This solution avoids running the updated installer to reinstall MSYS2.

The key delivered in msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz has expired, needing “pacman-key --refresh-keys” to update. There is more detail in this stackoverflow answer.

run this it will solve the problem " pacman -S msys2-keyring ‘’ before I suffered to fix the issue but I found this on internet.

Bear in mind the keys mentioned in MSYS’s FAQ no longer exists and --verify will fail (the resulting fetched files are HTML 404 messages). At this moment, these work:

curl -O https://repo.msys2.org/msys/x86_64/msys2-keyring-1~20230316-1-any.pkg.tar.zst
curl -O https://repo.msys2.org/msys/x86_64/msys2-keyring-1~20230316-1-any.pkg.tar.zst.sig
pacman-key --verify msys2-keyring-1~20230316-1-any.pkg.tar.zst.sig
pacman -U msys2-keyring-1~20230316-1-any.pkg.tar.zst

Doublecheck at the repo.

Same issue here. But left out resetting the pacman keystores as @hamlibdk proposed. After about 3 hours of retrying with different solutions it finally worked.

I like msys2, but this is frustrating. This issue really needs to be ironed out. Need more information from error reporting to be better able to diagnose problems: e.g., just saying someone is an unknown trust does not provide enough information to debug the problem. Why is so and so an unknown trust? I see this issue has been ongoing for over a year.

then pacman-key --refresh might help

THANK YOUUUUUU

I solved my problem by typing pacman -Syu.

I had fixed my issue before by updating the keys. I might have done it through refresh or init. But now I had again the “pacman error: … : signature from … is unknown trust” message as mentioned above by @dsieh on Nov, 2021. You may want to try directly what @silverqx mentioned September 15, 2021. (That is “Next step (several posts above mention this):” below)

However, I followed some steps and those let me installed packaged signed by “David’s Macek” key again.

Some might be redundant but what I did was:

pacman-key -l I found that the following entry was expired and removed it. uid [ expired] David Macek david.macek.0@gmail.com

pacman-key -d 87… It expired 2022-03-03

pacman-key --refresh I got an error: gpg: keyserver refresh failed: Try again later ==> ERROR: A specified local key could not be updated from a keyserver.

The key was successfully removed though. Which can be confirmed by running pacman-key -l again.

I got the following error while trying to install packages signed with the old key: … error: key “62…” could not be looked up remotely error: required key missing from keyring error: failed to commit transaction (unexpected error) Errors occurred, no packages were upgraded.

Then I ran: pacman -Syu And answered n as follows (as mentioned by @evandrocoan October 23, 2021): … :: Proceed with installation? [Y/n] n

Next step (several posts above mention this): pacman -S msys2-keyring

Which signed the keys successfully and disabled revoked keys: … ==> Updating trust database… gpg: next trustdb check due at 2022-06-26

After this I could install the packages. And understand better how this works by doing the attempts to fix it without modifying files manually or executing the pacman-key command with another key-server.

I had the same problem, and for me only msys2-keyring-1~20210904-1 was installed and trying to upgrade it didn’t help. What I did in the end was download the newest msys2-keyring package and sig from https://repo.msys2.org/msys/x86_64/ and installed it with pacman -U. Upgrading the offending packages works now. However, now I am getting a warning that the local version of msys2-keyring is too new 😃

PS: Seems I’m also stuck with pacman-mirrors-20211116-1. I also noticed that the mirror lists under /etc/pacman.d were installed as mirrorlist.*.pacnew. Renaming them broke things, though, as pacman -Sy is unwilling to do anything because Christoph Reiter’s key is not recognized anymore and the signature database is supposedly corrupted.

David’s new key expired on March 3rd 2022… I think there might be some packages which were signed with this old key

pacman-key -d 87771331B3F1FF5263856A6D974C8BE49078F532

error: liblz4: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/liblz4-1.9.3-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: gmp: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/gmp-6.2.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: base: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/base-2020.12-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: failed to commit transaction (invalid or corrupted package)
Errors occurred, no packages were upgraded.

as well as gcc

error: gcc: signature from "David Macek <david.macek.0@gmail.com>" is unknown trust
:: File /var/cache/pacman/pkg/gcc-10.2.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n

I am having the same issue, but can’t perform the steps outlined to fix it. I am most likely missing something, but I am running this on windows, and can’t get the pacman-key command to work. This makes sense as it is a shell script, do I need to use WSL for windows or something to make this work?

for me instructions at https://www.msys2.org/news/#2020-06-29-new-packagers did help If not. Backup your ~ and try a new install

I already considered bypassing pacman digital signature checking.

However, until I am sure that the cause of this problem is not some kind hack I am reluctant to proceed. After all, it would be an effective way to infect lots of computers. Could be another SolarWinds!

I am amazed that nobody from the MSYS2 project team has yet commented on this issue and provided reassurance to users.

Likely sourceforge having problems. Waiting a bit might help.

I am experiencing exactly the the same error.

I upgrade my MSYS2 installation weekly, on average, and it was working up until two days ago. Today the pacman upgrade procedure is no longer working.

That is not a solution or a mitigation … especially since the “last resort fix-all” steps at https://www.msys2.org/news/ fail !

Yet for the record a redeploy from scratch FAILS with the same error.

It was basically working well prior to 2021-2-16 00:00z … Problems after that time !

The matter is of critical urgency as this is part of as Software Developers’ kit - that integrates with Qt - used by many-many of non-commercial developers.