`archlinux-keyring` should be updated before attempting package retrieval/installation

[jamincollins]

Installation fails if a package has a signature unknown to the current system keyring. This can sometimes happen if the archlinux-keyring is updated between the ISO mastering and the attempted run of archinstall. Suggest ensuring that at minimum archlinux-keyring is updated at the beginning of the archinstall run.

[Torxed]

We added it, but it was considered a wonky workaround and poor assumption installing it every time. I agree that it would be a bandaid and help, but even better would be if Arch Linux as a whole could retain key stability for at least a month between ISO's.

[jamincollins]

even better would be if Arch Linux as a whole could retain key stability for at least a month between ISO's.

Unlikely to happen, given that it is a rolling release. I've been bitten by it enough that I have the keyring update as a standard first step for all my updates and installs.

[Torxed]

Rolling release and keys expiring, forcing devs to re-generate is a different thing though. One is packages rolling out as new versions come along, the other is devs (including me) forgetting to update they key in time breaking trust suddenly.

[strboul]

Can be closed as it's fixed in https://github.com/archlinux/archinstall/pull/917

[Torxed]

This should now be properly fixed in #1858. Upstream has implemented archlinux-keyring-wkd-sync.service (and a .timer that initiates it), we now wait for the two to kick in and finish before continuing with the installation.