Signature verification errors and mirror sync failures in Pacman prevent system updates and package installations on Arch-based distributions. These issues often surface as PGP signature errors, “unknown trust” messages, or corrupted package warnings. Addressing these problems restores secure package management and system reliability.

Resetting the Pacman Keyring and Trust Database

Corrupted or outdated keyrings frequently cause signature errors during package updates. Resetting and repopulating the keyring is the most effective solution for restoring package trust.

Step 1: Remove the existing GnuPG directory for Pacman to clear out broken or stale keys. This forces Pacman to create a fresh keyring on initialization.

sudo rm -r /etc/pacman.d/gnupg

This step deletes all existing keys and trust information. It is safe, but you will need to repopulate the keyring in the next steps.

Step 2: Reinstall the keyring and GnuPG packages to ensure the latest key files are present. This also fetches any updated keyring packages from the repositories.

sudo pacman -Sy gnupg archlinux-keyring

If you are using a derivative such as Manjaro or EndeavourOS, include their respective keyring packages as well:

sudo pacman -Sy manjaro-keyring

Step 3: Initialize the new keyring. This generates the trust database and prepares it for key imports.

sudo pacman-key --init

Step 4: Populate the keyring with official distribution keys. This step imports the trusted keys used to sign repository packages.

sudo pacman-key --populate archlinux

If you are on Manjaro or another Arch-based system, add the relevant keyrings:

sudo pacman-key --populate manjaro

Step 5: Refresh the keys to update trust signatures and fetch any new key updates from the keyservers.

sudo pacman-key --refresh-keys

Refreshing keys may take several minutes, especially on slow connections or if the keyserver is under heavy load. If you encounter errors fetching keys, try specifying a different keyserver in /etc/pacman.d/gnupg/gpg.conf by adding:

keyserver hkps://keyserver.ubuntu.com

Step 6: Clear the package cache to remove any previously downloaded, potentially corrupted packages.

sudo pacman -Sc

Step 7: Attempt a full system update to verify that the keyring and mirrors are functioning correctly.

sudo pacman -Syu

These steps resolve most PGP signature errors and keyring corruption issues. If the problem persists, proceed to the next section.

Updating and Repairing Mirror Lists

Outdated or unreachable mirrors can cause package not found errors, incomplete downloads, or repeated signature failures. Refreshing the mirror list ensures Pacman uses active, up-to-date servers.

Step 1: Generate a new mirror list using a tool such as reflector (Arch/EndeavourOS) or pacman-mirrors (Manjaro).

  • For Arch Linux and derivatives:
sudo reflector --country 'United States,Germany' --latest 10 --sort rate --save /etc/pacman.d/mirrorlist
  • For Manjaro:
sudo pacman-mirrors -f 5

These commands select the fastest and most recently updated mirrors based on your location.

Step 2: Synchronize the package database to ensure Pacman is aware of the updated mirror list.

sudo pacman -Syy

Step 3: Retry the update process.

sudo pacman -Syu

If you continue to see “file not found” or signature errors, confirm your system clock is accurate. An incorrect clock can cause trust failures when verifying package signatures.

Advanced: Forcing Package Trust When Standard Fixes Fail

On rare occasions, persistent keyring or package signature errors block updates even after resetting keys and mirrors. Temporarily lowering the signature verification level allows you to update the keyring itself, after which you must restore the original security settings.

Step 1: Edit /etc/pacman.conf and locate the line:

SigLevel = Required DatabaseOptional

Change it to:

SigLevel = Optional TrustAll

This setting disables strict signature checks. Use this only for updating keyring packages.

Step 2: Update the keyring packages again:

sudo pacman -Sy archlinux-keyring

If you use Manjaro or another derivative, add their keyring package as well:

sudo pacman -Sy manjaro-keyring

Step 3: Restore the original SigLevel line in /etc/pacman.conf to re-enable signature verification.

SigLevel = Required DatabaseOptional

This approach is a last resort and should not be used for regular package installations. Only use it to repair a broken keyring, then immediately revert to secure settings.

Additional Troubleshooting Steps

If the above methods do not resolve your issue, consider these options:

  • Check your system clock and timezone with timedatectl status. Synchronize if needed.
  • Investigate network issues or firewall restrictions that may block keyserver access.
  • If partial upgrades have broken Pacman itself, use a static binary (pacman-static) or a live USB to chroot into your installation and repair packages.
  • For persistent “invalid packet” or “invalid keyring” errors, remove and recreate the entire /etc/pacman.d/gnupg directory as described above.
  • On SteamOS and other custom distributions, verify you are using the correct mirror and repository settings for your platform.

If you encounter errors about specific PGP keys, you can try manually retrieving them:

sudo pacman-key --recv-keys

Replace <KEYID> with the actual key identifier shown in the error message.

Resetting the Pacman keyring and updating your mirror list resolve most signature and sync errors. For persistent issues, carefully apply advanced fixes and always restore secure configuration settings after repair.