Ever since June 2020, I have been unable to update my packages with pacman -Syu. When I try, I get the following error:

(It gets up to "Checking package integrity", then shows errors like this for every single package)

error: gcc-libs: signature from "David Macek <[email protected]>" is unknown trust
:: File /var/cache/pacman/pkg/gcc-libs-10.2.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

Now, helpfully, MSYS2 does have a post explaining why this occurred and how to fix it: https://www.msys2.org/news/#2020-06-29-new-packagers

However, despite following all of those steps, nothing changed and I get the same errors.

For clarity, I did the following:

curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz
curl -O http://repo.msys2.org/msys/x86_64/msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig
pacman-key --verify msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz.sig
pacman -U msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz

Those "worked" (no errors) but didn't fix anything, so I tried:

rm -r /etc/pacman.d/gnupg/
pacman-key --init
pacman-key --populate msys2

But that didn't accomplish anything either.

What do I do?

The original key updating procedure News-MSYS2 can be made to work by adding one more command:

$ pacman-key --keyserver keyserver.ubuntu.com --refresh-keys

The packager's key as delivered in msys2-keyring-r21.b39fb11-1-any.pkg.tar.xz has expired, and needs to be refreshed.

pub   rsa4096 2018-01-14 [SC] [expired: 2021-06-19]
      87771331B3F1FF5263856A6D974C8BE49078F532
uid           [ expired] David Macek <[email protected]>

Unfortunately, the keyserver used by older version of pacman-key command is not valid anymore.

$ pacman-key --refresh-keys
gpg: error retrieving '[email protected]' via WKD: No data
gpg: error reading key: No data
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: keyserver refresh failed: No name
==> ERROR: Could not update key: F40D263ECA25678A

Keyserver value in newer pacman-key was changed to keyserver.ubuntu.com by this msys2/MSYS2-keyring commit. Hence, the explicit --keyserver option for the pacman-key command at the beginning of this answer.

This worked for me. From "Nulano":

pacman -S msys2-keyring

Then use pacman -Syu as normal.

Tried the solutions at Msys 2020-06-29 - new packagers. Didn't work for me.

After trying a few other things (like disabling sourceforge mirrors) I found none worked.

Instead, I downloaded the latest tar of the project (since I cannot run the .exe) which is located at:

http://repo.msys2.org/distrib/msys2-x86_64-latest.tar.xz

Once downloaded, I went into C:/msys64/ and made a copy of the /home folder, then deleted all of the contents.

I then copied in the latest from the tar into there, and finally copied the /home folder back.

Now, MSYS2 finally works properly again. Though it does mean installing all packages over again.

I solved it on my gitlab stage by following instructions at https://www.msys2.org/docs/ci/ for Other Systems, adapted as follows:

# install wget
- Invoke-WebRequest -Uri "https://eternallybored.org/misc/wget/current/wget.exe" -OutFile "wget.exe"
# download and install MSYS2
- .\wget.exe -O msys2-installer.sfx.exe --no-check-certificate "https://repo.msys2.org/distrib/x86_64/msys2-base-x86_64-20230718.sfx.exe"
- .\msys2-installer.sfx.exe -y -oC:\

# Run MSYS2 for the first time and update it
- C:\msys64\usr\bin\bash -lc ' '
# Update MSYS2
- C:\msys64\usr\bin\bash -lc 'pacman --noconfirm -Syuu'  # Core update (in case any core packages are outdated)
- C:\msys64\usr\bin\bash -lc 'pacman --noconfirm -Syuu'  # Normal update