#(SOLVED) signature(s) of unknown trust when upgrading

When I try to upgrade my system using yay -Syu, all the packages download fine, but then I get signature errors from 1+ people, about either having unknown or minimal trust.

Specific errors: ```
error: mold: signature from "Frederik Schwan frederik.schwan@linux.com" is unknown trust
:: File /var/cache/pacman/pkg/mold-1.4.1-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: jre17-openjdk-headless: signature from "Frederik Schwan frederik.schwan@linux.com" is unknown trust
:: File /var/cache/pacman/pkg/jre17-openjdk-headless-17.0.4.1.u1-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: jre17-openjdk: signature from "Frederik Schwan frederik.schwan@linux.com" is unknown trust
:: File /var/cache/pacman/pkg/jre17-openjdk-17.0.4.1.u1-2-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

I've already tried:
- synchronizing the time with `sudo ntpd -qg` and `sudo hwclock -w`
- deleting `/etc/pacman.d/gnupg/*`, reinitializing the keyring with `sudo pacman-key --init`, and populating it with `sudo pacman-key --populate`, with gpg-agent killed beforehand
- updating `archlinux-keyring` with `sudo pacman -Sy`
- clearing my package cache with `sudo pacman -Sc`

Any clue on how to fix this?

Your mirror is out of sync, the latest mold version is 2.0.0-1 built on Wed Jul 26 21:29:38 2023

Can you post the output of

pacman -Qip /var/cache/pacman/pkg/mold-1.4.1-1-x86_64.pkg.tar.zst

Name            : mold
Version         : 1.4.1-1
Description     : A Modern Linker
Architecture    : x86_64
URL             : https://github.com/rui314/mold
Licenses        : AGPL3
Groups          : None
Provides        : None
Depends On      : gcc-libs  mimalloc  openssl  zlib  tbb
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Compressed Size : 1140.24 KiB
Installed Size  : 6337.72 KiB
Packager        : Frederik Schwan <freswa@archlinux.org>
Build Date      : Fri 19 Aug 2022 04:43:31 PM CDT
Install Script  : No
Validated By    : None
Signatures      : Key expired, unknown trust from "Frederik Schwan <frederik.schwan@linux.com>"

hmm, that's odd - I updated my mirrors two days ago, although using reflector

top of my mirrorlist file is

################################################################################
################# Arch Linux mirrorlist generated by Reflector #################
################################################################################

# With:       reflector --verbose --sort rate --save /etc/pacman.d/mirrorlist
# When:       2023-08-01 13:00:31 UTC
# From:       https://archlinux.org/mirrors/status/json/
# Retrieved:  2023-08-01 13:00:31 UTC
# Last Check: 2023-08-01 12:49:55 UTC

oh, I see - the first mirror I'm using is in the out of sync list

a bit odd that reflector doesn't automatically check for that, but okay

will remove those mirrors now and try again

plaintext file of urls created

I suggest you temporarily switch to https://mirror.osbeck.com/archlinux/, which is behind the Cloudflare CDN, thus should have a decent bandwidth worldwide mirror, then fix the keyring issue first.

Can you explain

I parsed the urls in the out of sync list on the arch website, and will now be removing the entries in my mirrorlist file that have those urls

would that still require removing the desynced mirrors afterwards?

affirmative

ah, I'll do this then beforehand

fairly close to finishing, and it shouldn't overall make that big a difference

although I'll have to go in a few minutes for a fair number of hours

thank you for helping, by the way

doubt I would've noticed the packages were out of date until much later

okay, cool, desynced mirrors removed

the synchronizing package databases step actually takes some time now

okay, I gtg now

will finish trying to system upgrade once I get back

I imagine it'll be fixed now

hopefully

after updating archlinux-keyring, resetting my keyring again, and manually importing a key since I use the liquorix kernel, it's upgrading without issues

unless something happens with one of the packages or at the end, it should be all good

updating 1700 packages sure does take a while though