Refresh archlinux-keyring for old keyrings

[benmordecai]

Since archinstall is included on the default archlinux installation media, it would be common for arch uses to keep an old usb drive with arch installation media on hand for emergency recovery. Also with tools like ventoy it is more popular to keep a usb drive full of isos as a toolkit.

As these Arch isos age, the keyrings they come with expire leading to failures to install packages in the middle of the archinstall script - after destructive steps like disk partitioning and filesystem creation have been completed. The simplest solution is to reboot into the arch install media, run pacman -S archlinux-keyring, then run archinstall, but new users might not know this and the user might not have access to a secondary device to easily look up commands.

Archinstall could prevent this problem by refreshing the archlinux-keyring early in the script, or at least to offer the option to refresh the keyring before a point of no return.

[Torxed]

There's an automated key-ring-update-service called archlinux-keyring-wkd-symc.service on the Arch ISO as of a couple of months ago.

The issue is the race condition of network not being up during it's first execution, delaying the update but a substantial amount.

The best way forward would be to stop monkey-patching archinstall to deal with these things, as we've been battling this for years now. And it's a moving target.

Instead, there's two things that should happen (from a personal perspective):

1. Arch Linux key ring must be stable over the course of 1+ month (gap between ISO's)
2. The auto-update service needs to be more robust

[benmordecai]

When I initially made this comment I was working with the 2023.06 image and thought that it was basically my fault for using an old image, so it seemed like it would be simple to add a check but as I have learned more (with your comments as well) its clear this is much more complicated and I agree with you as to the approach. I updated to 2023.11.01 and found that I could not get the archinstall script to work at all and I ended up having to redownload the 2023.06 to get it working again and before running archinstall I manually ran pacman-key --init and pacman -Sy archlinux-keyring. After that I was able to successfully install with the 2023.06 media.

All this to say I agree that the main solution should probably be making the keyring init and update process bulletproof, which is out of the responsibility of this project.

[Torxed]

The one thing I want to convey, and I truly mean this, I understand the frustration! And I agree that this is an issue - and I am pushing for change to get this fixed.

Throughout the years we've done everything from pacman-key --init to pacman -Sy archlinux-keyring to removing gpg cache and what not. But ultimately it takes way too much time to maintain compared to putting the effort in to fixing the root cause.

And one of them is that the signing keys expire before there's a new one in place, the second being that the auto-update feature is a good step in the right direction - but it's incomplete.

And I'll do what I can to push fixes for them. Sadly that takes time away from archinstall so bare with me! :)

[benmordecai]

Well I must also convey my thanks that you volunteer to do this at all. I get a free operating system for nothing.

I am not sure if this would be possible to know in advance, but I wonder if it would be possible to have something like a way to know right as you call archinstall that the keyring is not in an OK state and give a warning. At that point the user could exit and remedy the issue or else proceed (perhaps for the purpose of generating a configuration for future use) without expectation that the script would succeed.

That of course would depend on the script being able to know in advance that there is a problem with the keyring, which may be just as complicated as the cat and mouse game you are trying to avoid.

[Bydo-Spore]

Why is archlinux-keyring-wkd-symc.service necessary? Why can't pacman -Sy archlinux-keyring be executed automatically as the first step in archinstall?. Obviously there will be a network connection then, so it would never fail. Does executing pacman -Sy archlinux-keyring when it's not necessary break something?

[KDPRoss]

Why is archlinux-keyring-wkd-symc.service necessary? Why can't pacman -Sy archlinux-keyring be executed automatically as the first step in archinstall?. Obviously there will be a network connection then, so it would never fail. Does executing pacman -Sy archlinux-keyring when it's not necessary break something?

Just hit this and popped over to see if there was already an issue tracking this ... and manually installing archlinux-keyring was my workaround to get my installation moving forward ... that seems the straightforward solution to me?