more key nightmares

Links: Arch - package signing

TLDR: in 2024, one's system, gpg keyservers, and Arch repositories all need to be *up*, properly configured, and current, to accomplish a standard Arch pacman Syu. Solutions given in decreasing order of intervention severity.

overview

"Key" conflicts or expiry during pacman updates have become the most consistent annoyance in Arch, (alongside PulseAudio, more Linux-wide). Eg, in 2024, waiting even two weeks between system updates likely will spawn an unrecoverable, unintuitive pacman key failure during pacman -Syu. What is happening?

Pacman used to just check a hash of the application package. NOW, Arch additionally checks hashed signature keys for each application's creator/repository uploader. The shift to increased verification led to use of an additional application: gpg. A further complication -- gpg stores and retrieves keys from a dedicated repository, a "keyserver", which is separate from the application repository. A yet further complication is that gpg deposits the latest keys into user's system, in /etc/pacman.d/gnupg and does not regularly update these.

pacman is still the update manager, but gpg is now a critical adjuvant app, and which must handshake its keys with pacman during each update, yet does not update its keys between pacman updates. Immense time can be lost navigating this setup; this post only has the bandwith to list solutions. Basically, if any pacman key failures, I first attempt to update the keys (pacman-key --refresh-keys) and then I go nuclear. I don't have days to waste.

Solutions in decreasing order intervention severity.

---

thermo-nuclear

# nano /etc/pacman.conf
# temporary key solution: add SigLevel never and
# comment-out default "Required"
SigLevel = Never
# SigLevel = Required DatabaseOptional

A regular pacman-Syu now works. After update success, and a reboot, we reset /etc/pacman.conf back to default "Required".

We've accomplished the update, but now we find that the problem with keys still exists. That is, we still can't, eg., run pacman-key --populate, without the same error messages and Catch-22 with 'pacman-key --init' that we experienced earlier:

# pacman-key --populate
==> ERROR: There is no secret key available to sign with.
==> Use 'pacman-key --init' to generate a default secret key.
# pacman-key --refresh
gpg: error reading key: No public key

The Catch 22 is that we're driven to run 'pacman-key --init', but 'pacman-key --init' fails 100% of the time, stating we have no public key, LOL. "I can't make what you need since you don't already have it".  In 2024, I don't know a way to circumvent this keys issue without significant time-wasting alternatives. I just give it a key.

# gpg --gen-key --homedir /home/USER/.gnupg --passphrase "PASSWORD" --pinentry-mode loopback
gpg: WARNING: unsafe ownership on homedir '/home/foo/.gnupg'
GnuPG needs to construct a user ID to identify your key.
Real name:

After all of this, we'll get some success message...

gpg: /home/foo/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/home/foo/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/foo/.gnupg/openpgp-revocs.d/BFA0F3753DA6EA552E08958F06E36EA3F9E270C0.rev'
public and secret key created and signed.

...after which...

# pacman-key --init
# pacman-key --populate

...work normally. Now we can do regular pacman updates with regular keyring checks. We have to repeat the laborious process however, typically when it's been a few weeks or longer between updates.

nuclear

stackexchange wisdom

# gpgconf --kill gpg-agent
# rm -r /etc/pacman.d/gnupg
# rm -r /root/.gnupg
# rm -r /home/foo/.gnupg

# rm -r /etc/pacman.d/gnupg
# rm -r /root/.gnupg

...after which

# pacman-key --init

light cure

A typical usual cure...

# pacman -Sy archlinux-keyring -

...after which try the stronger

# pacman-key --refresh-keys

catch-22 circular fail

Notice 100% gpg reliance.

# pacman-key --populate
gpg: problem with fast path key listing: No such file or directory - ignored
==> ERROR: There is no secret key available to sign with.
==> Use 'pacman-key --init' to generate a default secret key.
# pacman-key --init
gpg: problem with fast path key listing: No such file or directory - ignored
==> Generating pacman master key. This may take some time.
gpg: Generating pacman keyring master key...
gpg: agent_genkey failed: No such file or directory
gpg: key generation failed: No such file or directory
gpg: Done
==> Updating trust database...
gpg: no need for a trustdb check

directly into gpg: gpgconf

# gpgconf --list-components
gpg:OpenPGP:/usr/bin/gpg
gpgsm:S/MIME:/usr/bin/gpgsm
keyboxd:Public Keys:/usr/lib/gnupg/keyboxd
gpg-agent:Private Keys:/usr/bin/gpg-agent
scdaemon:Smartcards:/usr/lib/gnupg/scdaemon
tpm2daemon:TPM:/usr/lib/gnupg/tpm2daemon
dirmngr:Network:/usr/bin/dirmngr
pinentry:Passphrase Entry:/usr/bin/pinentry

# gpgconf --kill gpg-agent

[solved] update a dormant system - arch

When a system lies around, the Arch update will of course be large. Let's say a system isn't updated for 3 years. Pacman might indicate that, say 1.5G of updates are required. Usually it can be done, but the keyserver may be a bottleneck and failure point. This is a new development. There's probably a way to update Linux without checking package integrity, but I feel that's going to ultimately be a problem. I first try everything with keys. I covered most of this in an earlier post, but the post here focuses particularly on dormant systems.

first fail

Supposing the update fails based on keys, the nice first thing do is get rid of excess packages

# pacman -Sc
Packages to keep:
All locally installed packages

Cache directory: /var/cache/pacman/pkg/
:: Do you want to remove all other packages from cache? [Y/n] y
removing old packages from cache...

Database directory: /var/lib/pacman/
:: Do you want to remove unused repositories? [Y/n] y
removing unused sync repositories...
# du -sh /var/cache/pacman
1.5G /var/cache/pacman

That last command is just to see how large the current install is without the updates. Now go after the keys.

All the apps have PGP keys; sometimes pacman won't update due to key conflicts or expiry. Usual cure...

# pacman -Sy archlinux-keyring -

...after which try the more nuclear option

# pacman-key --refresh-keys

non-standard application managers -- wine, python, git, latex (pacman conflicts)

In most Linux distributions, there's a package manager ("PM") application we use to update our OS and any installed applications. The Arch PM is pacman, and full updates require an internet connection for its use. It's a relatively simple process:

# pacman -Syu

The problems begin with applications that have built-in package managers specific to that application. There's only a few, but they are often called upon and u. For example:

1. LaTeX package manager =tlmgr (TeXLive)
2. Git package manager = complicated unless at user level. If at user level, install git with pacman and run it as a user, it will just make a directory of source. Otherwise, git apparently downloads "clones" (versions) into /opt, but then generally you want to chmod the clone to foo:foo and move it to a ~/ directory for building, then pacman to install it.
3. Python package manager = pip
4. Wine package manager = complicated. Each dll installing in Wine attempts to update itself and will prompt for it. None should be authorized. Also, building a version of Wine that is custom configured for the MSoft app is critical, but the underlying Arch version of wine tends to wipe them out any time it is called.

Using any of these application-specific updaters within Arch leads to failures during the next "pacman". Don't use them at all except when knowing the workarounds (see below). Essentially, there are zero problems for users who install and update the Arch Linux OS and applications using only pacman. Again, the most reliable complete update command:

# pacman -Syu

...or for application removal...

# pacman -Rs

There's also one workaround in Arch that doesn't f*ck up the index: if I download source into some directory and run...

$ makepkg -si [somepkg]

... it will make the package, and then prompt me for the password for install ("-i" flag) at the end and perform a pacman -U [package] at the end of the make. This # pacman -U properly updates the pacman index. As far as I know, # pacman -U is the only way to install outside packages without farking an install. This also means we can reliably use # pacman -Rs to uninstall packages put in through this method.

1. LaTeX - tlmgr 5Gb

2022 edit: I now use pacman, until work on thesis or something, then can do a -Rsn uninstall and do it here.

Don't install any version of LaTex with pacman. It doesn't have enough templates.

Install Tex-Live (LaTeX) directly into a user subdirectory (eg. "/home/foo/latex") and update it through the TexLive PM (tlmgr), but only at the user level, so that no admin level changes, or files used by pacman are affected.

$ cd /home/foo/latex/bin/x86_64-linux
$ tlmgr update --self
$ tlmgr update --all

UNLESS, it's the next year and haven't updated. This is called a "cross-release" update. I had to download that year's update-tlmgr.sh and run it. Described further down in post and here.

2. Git - pacman + manually configure

This took me the longest to learn, as this site agrees. Configuring for upstreaming -- if using as VCS -- is time consuming, but it's different if downloading some source. Update the git app with pacman, update the sources using git commands. Here's the Arch page.

1. install the foundational Git application using # pacman -S git.

3.Python - pip 2Gb

Nearly every program uses Python, so we want to be sure not to break our Python installation.

The solution required three independent solutions, all three of which I install. I select one of the solutions depending on what the application requires/expects.This solution takes up several gigabytes.

• initialize a Colab account in Google. See my post here, because there's a few steps to it. Colab handles Jupyter-type operations online. I do this development online (and save files .PY to Drive). I used to do Jupyter environment on the desktop, and this was the heaviest pip user, disrupting pacman almost entirely. IMO, Colab is practically a godsend from Google.
• when an application requires it, a pacman install of Python. Other applications installed using pacman, may also call for additional Python modules which they add to the basic Python, and/or they may also require an older version of Python to be installed.
• using pacman install a virtual environment for the

For Python, we can use pip, and for LaTex we can use tlmgr, to upgrade or add features to each app. The overall OS also has a package manager. For Arch, this is pacman. We can use pacman to upgrade or add packages to the Arch OS, including adding Arch versions of Python and LaTeX. The problem is, any actions accomplished with pip or tlmgr are not recorded in the pacman application index. Discrepancies between pacman's index and pip and tlmgr operations lead to significant application and OS problems. Prevention requires decisions during installation.
Contents

• problems
• solutions
• prevention

problems

The Python case is more complicated to *solve* than the LaTeX situation, because a variety of applications depend on Python, unlike LaTeX. However, both situations equally *cause* pacman update fails for the same, indexing, reason, so that both the Python and the LaTeX cases must be solved.

Python

Many applications rely upon Python. More technically, Python is a dependency for for many applications.

Imagine some application with a Python dependency, say youtube-dl. Imagine that both Python and youtube-dl were installed by pacman. They both work fine. Now suppose the user decides to add a Python module using pip instead of pacman. Everything might be fine with some applications that depend on Python, but youtube-dl is an example of an application sensitive to Python changes. The youtube-dl app looks for versions of Python installed by Arch, but will instead detect versions updated by pip. This discrepancy in turn leads youtube-dl to spawn errors, and errors in turn lead to the application exiting. How can this be solved?

$ youtube-dl https://www.youtube.com/watch?v=QLpz7PtiP2k
Traceback (most recent call last):
File "/usr/bin/youtube-dl", line 6, in
from pkg_resources import load_entry_point
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3259, in
def _initialize_master_working_set():
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3242, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 3271, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 584, in _build_master
ws.require(__requires__)
File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 901, in require
needed = self.resolve(parse_requirements(requirements))

More drastically, this can happen with an entire OS. Say the user keeps his OS up to date with pacman, and decides to install Python using pacman. Later, he upgrades Python using Python's pip manager. Still later, the user attempts to update the entire OS, which is a pacman action. As part of its upgrade procedure, pacman verifies the integrity of all installed applications against its index. Since the changes made to Python via pip were not registered into pacman's version index, pacman cannot resolve the pip installed modules against the pacman index. These discrepancies cause the pacman update to exit with errors. No update will be accomplished. How can this be solved?

LaTeX

If having any problems with LaTeX updates, even the tug.org website recommends just replacing with latest edition. However, there is one workaround if things aren't more than a year or two old.

$ tlmgr update --self
tlmgr: Local TeX Live (2020) is older than remote repository (2021).
Cross release updates are only supported with
update-tlmgr-latest(.sh/.exe) -- --upgrade
See https://tug.org/texlive/upgrade.html for details.

For the problem above, download update-tlmgr-latest.sh, make it executable (chmod +x or file manager), and put it in /home/foo/latex or wherever your latex user-level top directory is at. Go into that directory and:

$ sh update-tlmgr-latest.sh -- --upgrade
$ tlmgr update --self
$ tlmgr update --all

.

Wine

Wine also can pull-in specific packages, when we try to make wine bottles. However, any time there's an OS update, pacman will write a new wine directory in ~/.wine. After it's overwritten, it will use that vanilla version instead of the wine bottle we built for the app. How can this be solved?

solutions

In the case of an app like youtube-dl, it's easy to uninstall the entire app (# pacman -Rns) and reinstall. Or to play with uninstalling its pieces until one has a hit

The levels of involvement vary, but the strategy is the same for both Python and for LaTeX: install these independently of Arch from the start, in /home/user directory, and then update any path statements necessary for the Arch installed apps to find the program. Once these are in at the user level, there's no problem updating them with pip and tlmgr, because the updates are strictly within one's home directory, not the larger Arch installation. Accordingly, one can add features at will, which is often desirable when running the latest Spyder or what have you. For LaTeX, it's even less of a hassle, because there are no dependencies: one just needs to update $PATH statements following install. One can create an install in either case using, eg. $ mkdir /home/foo/latex and similarly with Python, though perhaps using a new folder for any version changes.

In the case of the OS update failure, one has no pleasant choices :uninstall then reinstall all of Python (immense time drain), or update the OS using an override (# pacman -SyuI), which then leaves a potentially unstable Python install for its dependencies. This is true with LaTeX also, but nearly zero apps depend on LaTeX.

install notes

I've decided to use the 3rd party updaters to both install (Python - pip, LaTeX - tlmgr for TexLive), There are a couple of considerations.

• Install in user-level directory
• update path statements afterward, so the installation can find them. Path statements can be complex, because there are various Path statements to consider.

prevention

Sometimes one doesn't have a choice but to install packages via pip, but then what happens downstream with a pacman upgrade is ugly. It will look like this, and there's a couple of workarounds.

• uninstall the pip upgrades, upgrade the system via pacman, then go back to pip and install whatever necessary pip packages.
• add the --overwrite=* flag to the standard "Syu". This causes pacman to simply overwrite any python files that seem inaccurate. This places pacman in the boss position over pip, but it also farks-up the pip version of the installation which, downstream, is a b*tch.

Another pacman recovery

Pacman carries several types of problems. Some take so much time to solve that it's easier to do a fresh Arch install, if one has recently backed-up all their data. This one is a coin toss for a fresh install, and it's one of the more insidious pacman fails. It happens when one does a pacman -Syu, leaves for some other task, then returns to find the system off and unable to completely boot, noting it's unable to find the HDD or possibly

ERROR: specified kernel image does not exist: `/boot/vmlinuz-linux`

The boot process dumps out into a maintenance prompt, and power may even cycle off. Not that it matters to what comes next, but the likely explanation is the internet connection was interrupted during the pacman update, possibly in addition to a power interruption.

1 hour with install disk, 2-3 hours if create disk

In short:

1. boot with recovery disk
2. delete /var/lib/pacman/db.lck
3. fsuck the drive
4. rerun pacman -Syu, mkinitcpio, and grub

As always, the devil is in numerous details neglected in most web posts and so forth about this problem: one large challenge is likely moving one's system to a wired connection, since the Arch install ISO has rudimentary wifi tools that will add significant time, or entirely thwart, the pacman update while chrooted. Move your system to an ethernet connection. Additionally,

• mkinitcpio -p linux will likely be unable to locate vmlinuz unless one reinstalls the "linux" package, eg pacman -S linux.
• one's printer will likely have to be reinstalled due to a "corrupted filter" b/c it won't match the new modules.

burn the CD

$ cdrecord -scanbus
$ cdrecord -v -dao -eject dev=1,0,0 file.iso

boot it and turn on the swap

# lsblock -l
# swapon /dev/sdb [or whichever]
# free -m

chroot

Typically we chroot and do a base install from the disk. But this is not an install. We want to complete a pacman -Syu inside our already existing installation. The mounting is similar, and is the key for proper paths. The key is not to mkdir /mnt, but simply to mount to it as if it already exists. Most people mount to "mnt", however, one could use a different directory name.

# mount -rw -t ext4 /dev/sda1 /mnt

now the entire drive is mounted in a virtual folder called "/mnt". It doesn't exist, but we can chroot into it and see the drive.

# arch-chroot /mnt

clear pacman cache

Users can always run pacman -Sc, but if a person is willing to install the pacman-contrib package (100Kb), there's a script called paccache that will clear all but the most recent 3 updates (in case a person needs to downgrade some package).

$ du -sh /var/cache/pacman/pkg/
14G /var/cache/pacman/pkg/
# paccache -r
==> finished: 870 packages removed (disk space saved: 8.92 GiB)
$ du -sh /var/cache/pacman/pkg/
4.5G /var/cache/pacman/pkg/

pacman failure "404", duid (dhcpcd)

There's a mix of ipv4, 6, and duid stuff in here. On a home network -- our home LAN -- why would we ever need NSA level DUID (DHCP Unique IDentifier) fingerprinting of our system? If it's configured, but there's some conflict, our dhcpcd will time out, or make a connection but fail to browse (no DNS), and so on. This is just another level of possible failure on a home system; why would we ever want duid in a million years? DUID settings are further down, but they seem to be set no matter what a person does to remove.

pacman

One time, I began receiving 404 failures during # pacman -Syu. I quickly dug deeper using # pacman -Syu --debug 2>&1 |tee debugfile.txt and found that either curl itself (used by pacman to retrieve packages), or the way in which pacman was using curl, was the source. This is not always a bed of roses to determine and repair since they are often random glitches in what's become a decades-long, intermittent, annoying ipv6/ipv4 transition mess. This can involve tens of kernel and application settings and confusing conf files that often interact badly. For example, no longer can one edit /etc/resolv.conf directly, since it will be overwritten by resolvconf during dhcpcd initialization. One must now edit /etc/resolvconf.conf to indirectly get at /etc/resolv.conf, and resolvconf.conf has its own syntax, different from resolv.conf, so that both file syntaxes must be verified following any change. And so on.

which ipv is working?

The most obvious start is to verify both ipv4 and ipv6 curl function. Then, one can disable or activate the failed half or, possibly... force pacman to use the ip version that *is* working, (although I'm not sure if ipv type can be specified during a pacman operation).

First, the curl ipv functionality. Take a URL from one's mirror list and ping it to see that DNS is working. Then...

# curl aprs.ele.etsmtl.ca
Bienvenue | Welcome [curl works]
# curl --ipv4 aprs.ele.etsmtl.ca
Bienvenue | Welcome
[curl, and therefor pacman, is working ipv4]
# curl --ipv6 aprs.ele.etsmtl.ca
curl: (6) Could not resolve host: aprs.ele.etsmtl.ca
[curl, and therefore pacman, is failing ipv6]

In this case, it appears pacman is requesting both an ipv6 (AAAA) and ipv4 (A) handshake via curl, but, at various points in its development, pacman could only accomplish ipv4. Strace shows futher that IPV6 is not even able to open a socket.

Another way to check the kernel network stuff is to do a # sysctl -A, which will reveal all the kernel settings, but then grep it for, "net", "ipv4", or "ipv6" settings.

Users could also run # ip addr list and look to see there's an ipv6, and ipv4, or both.

~/.curlrc

As part of the curl man page, we can see some settings for the configuration file.

In the case above, I was getting proper ipv6 configuration, but still getting a curl fail on ipv6. It turns out that I was only able to find a single post on this, here. The post indicates that it's really a glibc issue, that could only be resolved by slowing down DNS resolution via manipulations inside /etc/resolvconf.conf to manipulate /etc/resolv.conf. We want /etc/resolv.conf to say "options single-request"
and so, to achieve this, we write...

# nano /etc/resolvconf.conf
# Solve ipv4/v6 fails
resolv_conf_options="single-request"

For a list of all resolvconf.conf options, see this man page.
Disabling IPV6 in Arch is no bed of roses -- one has either to put a boot line into their GRUB, or to create an effective /etc/sysctl.d/40-ipv6.conf (see bottom). Further, we may instead need to enable ipv6 more thoroughly across all applications, not further cripple it. It's a typical ipv4/ipv6 trial and error mess due to opaque reliance upon multiple programs (eg. curl)

old fix

This one used to work, but nowadays with built-in ipv6, doesn't always work. Add a couple lines in your blacklist file, eg...

# nano /etc/modprobe.d/blacklist
# stop pacman failure when encounter ipv6 sites
blacklist nf_conntrack_ipv6
blacklist nf_defrag_ipv6

grub

Use nano or whatever to add

/etc/sysctl.d/40-ipv6.conf

Here's one example, not guaranteed to work.

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.wlan0.disable_ipv6 = 1

duid

I've removed all duid references but I still get some duid when I connect with dhcpcd. Be sure too to delete all old "leases" in /var/lib/dhcpcd. Note also that they put a duplicate version of dhcpcd.conf inside /var/lib/dhdpcd/etc/, and that this is the one used by the system. You could probably even delete /etc/dhcpcd.So "duid" needs to be commented out at that location.

# rm /etc/dhcpcd.duid
# rm /etc/dhdpcd.secret
# rm /var/lib/dhdpcd/duid
# nano /etc/dhdpcd.conf [comment duid and clientid lines]

So then, here's a truncated version of etc/dhcpcd.conf. But even with al duid disabled, the router is apparently coaxed into collecting one.

# nano /etc/dhcpcd.conf
# A sample configuration for dhcpcd.
# See dhcpcd.conf(5) for details.

# Inform the DHCP server of our hostname for DDNS.
hostname

# duid

# Persist interface configuration when dhcpcd exits.
persistent

option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search
option classless_static_routes

# Get the hostname
option host_name

# Most distributions have NTP support.
option ntp_servers

# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Prevent timeouts for ipv6 failures
noipv6
noipv6rs


[solved] pacman issues, keys

Recently attempted a pacman -Syu and had some of the typical failures of breaking dependencies and so forth, repaired by identifying orphan applications...

# pacman -Qdt

and then removing them...

# pacman -Rs [the package]

However, the system failed a subsequent update attempt, reporting a lack of disk space. Let's check why.

$ df
Filesystem 1K-blocks Used Available Use% Mounted on
dev 1884252 0 1884252 0% /dev
run 1891812 760 1891052 1% /run
/dev/sda1 27867324 25491112 960636 97% /
tmpfs 1891812 5880 1885932 1% /dev/shm
tmpfs 1891812 0 1891812 0% /sys/fs/cgroup
tmpfs 1891812 8 1891804 1% /tmp
/dev/sda2 681201384 114146820 532451556 18% /home

So, shit, yah. Not good, 25GB of 27GB used? Let's try the usual suspect /var/pacman/cache.

# du -sh /var/cache/pacman
18G /var/cache/pacman
# pacman -Sc
Packages to keep:
All locally installed packages

Cache directory: /var/cache/pacman/pkg/
:: Do you want to remove all other packages from cache? [Y/n] y
removing old packages from cache...

Database directory: /var/lib/pacman/
:: Do you want to remove unused repositories? [Y/n] y
removing unused sync repositories...
# du -sh /var/cache/pacman
1.5G /var/cache/pacman

Pretty nice to get rid of 16GB of unused shit

install some local package

If you're in this mess, you might also have to CLI mount a USB drive. I first checked which partitions I had on the USB drive. I plugged in the USB and noted it was assigned "/dev/sdg, so I then...

# lsblk /dev/sdg

... and see there's only one partition "sdg1", so...

# mount -t vfat -o rw,users /dev/sdg1 /home

... then when done with copying the files, I umount the device.
Now you have a local package and want to install it using pacman

# pacman -U [package.tgz]

signatures

We'd like pacman to verify signatures, but occasionally, there are error messages if it's been a long time since the update. Often times, I've found that simply reinstalling the keyring works.

# pacman -S archlinux-keyring

/etc/pacman.d/mirrorlist

Occasionally, mirrors go offline so that, if it's been a while since an update, pacman occasionally can't locate the previously enabled mirror. Go into this file and uncomment some other mirror or get the latest available list at the pacman mirrorlist generator.

# pacman -Syy
# pacman -Syu

ffmpeg dependencies

Another potential long period update fail, is a pacman exit due to any of several ffmpeg dependencies. This may look like...

error: failed to prepare transaction (could not satisfy dependencies)
:: ffmpeg2.8: installing libvpx (1.7.0-1) breaks dependency 'libvpx.so=4-64'
:: ffmpeg2.8: removing libx264 breaks dependency 'libx264.so=148-64'
:: ffmpeg2.8: installing x265 (2.8-1) breaks dependency 'libx265.so=146-64'

Fix...

# pacman -Rs vlc

Sometimes, this leads to a second dependency issue with phonon. If so, uninstall phonon, then vlc. Next try to update normally with the -Syu flags. This usually works, so then just re-install vlc after the update.

pacman key failures

Sometimes a pacman update fails due to key errors. All the apps have PGP keys now and sometimes pacman won't update due to some error in that database or so forth. Usual cure

# pacman -Sy archlinux-keyring -

...after which try the more nuclear option

# pacman-key --refresh-keys

There is also a problem that occurs when the fucking keyserver (right, you have to worry about keyservers now) will not have that key, causing an error. This is typically in yay operations.

$ yay -Syu
==> PGP keys need importing:
-> E0C4CDDB8A6B4FDA4F8468E024ADFAAF698F1516, required by: pgadmin3
==> Import? [Y/n] y
:: Importing keys with gpg......
gpg: keyserver receive failed: General error
==> Error: Problem importing keys

And it's at this point that a person has to install it manually. The Arch Linux key list

yay issues

Sometimes after an update, you want to use yay....

$ yay -Syu
yay: error while loading shared libraries: libalpm.so.12: cannot open shared object file: No such file or directory

This page explains all the steps but, in short...

# pacman -Rs yay
$ git clone https://aur.archlinux.org/yay.git
$ cd yay
$ makepkg -si

The "i" flag prompts an install when complete (uses pacman -U), so just enter your password when requested. Yay should work thereafter. You can check the version with the "--version" flag. To get rid of the build directory without a MILLION confirmations...

$ rm -rI