Insufficient entropy pacman-key –init

As mentioned on https://wiki.archlinux.org/index.php/Pacman-key, pacman package manager uses GnuPGP keys to determine if the open source packages that you install via pacman are authentic.  The detailed explanations on this wiki document explains the specific details, including the Signature checking level option (SigLevel) in our /etc/pacman.conf file.

After upgrading your pacman to 4.0.3:


$ pacman --version

.--. Pacman v4.0.3 - libalpm v7.0.3
/ _.-' .-. .-. .-. Copyright (C) 2006-2012 Pacman Development Team
\ '-. '-' '-' '-' Copyright (C) 2002-2006 Judd Vinet
 '--'
 This program may be freely redistributed under
 the terms of the GNU General Public License.

you might run into GnuPGP key authentication issues like this:


$ pacman -S vim
resolving dependencies...
looking for inter-conflicts...

Targets (2): vim-runtime-7.3.600-1 vim-7.3.600-1

Total Download Size: 5.11 MiB
Total Installed Size: 27.90 MiB
Net Upgrade Size: 0.31 MiB

Proceed with installation? [Y/n] Y
:: Retrieving packages from extra...
 vim-runtime-7.3.600-1-x86_64 4.3 MiB 2.21M/s 00:02 [#########################################################################] 100%
 vim-7.3.600-1-x86_64 864.1 KiB 3.01M/s 00:00 [#########################################################################] 100%
(2/2) checking package integrity [#########################################################################] 100%
error: vim-runtime: key "7FB1A3800C84C0A5" is unknown
:: Import PGP key 0C84C0A5, "Thomas Dziedzic ", created 2011-10-31? [Y/n] Y
(2/2) checking package integrity [#########################################################################] 100%
error: vim-runtime: signature from "Thomas Dziedzic " is unknown trust
error: vim: signature from "Thomas Dziedzic " is unknown trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

This means we are required to get our machine’s (local) pacman keys properly initialized before we attempt to install anything else.    In fact, this was mentioned when we upgraded our pacman to 4.0.3:


(12/13) installing archlinux-keyring [#########################################################################] 100%
(13/13) upgrading pacman [####################################e23####################################] 100%
 >>> Run `pacman-key --init; pacman-key --populate archlinux`
 >>> to import the data required by pacman for package verification.
 >>> See: https://www.archlinux.org/news/having-pacman-verify-packages

Oops. Should have followed the label.

However, running pacman-key –init resulted in a “hanged process”.

$ pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: Generating pacman keychain master key...

https://wiki.archlinux.org/index.php/Pacman-key#Initializing_the_keyring mentions the solution by using haveged to generate the entropy (system randomness) necessary required by the  key generation process.

But we can’t really install haveged (pacman -S haveged) at the moment because we don’t yet have a master key. :-D

To solve that, we should change our SigLevel in pacman.conf for the community  repository to ‘Never’.


[community]
SigLevel = Never
Include = /etc/pacman.d/mirrorlist

Now, we can install haveged and then generate our master key. As explained in Arch Linux wiki:

pacman -S haveged
haveged -w 1024
pacman-key --init
pacman-key --populate archlinux
pkill haveged
pacman -Rs haveged

And we can now switch the community SigLevel in pacman.conf back to `SigLevel = PackageRequired`