The way local CA certificates are handled has changed. If you have added any
locally trusted certificates:
1. Move /usr/local/share/ca-certificates/*.crt to /etc/ca-certificates/trust-
2. Do the same with all manually-added /etc/ssl/certs/*.pem files and rename
them to *.crt
3. Instead of `update-ca-certificates`, run `trust extract-compat`
Also see `man 8 update-ca-trust` and `trust --help`.
The upgrade to gnupg-2.1 ported the pacman keyring to a new upstream format but
in the process rendered the local master key unable to sign other keys. This is
only an issue if you ever intend to customize your pacman keyring. We
nevertheless recommend all users fix this by generating a fresh keyring.
In addition, we recommend installing haveged, a daemon that generates system
entropy; this speeds up critical operations in cryptographic programs such as
gnupg (including the generation of new keyrings).
To do all the above, run as root:
pacman -Syu haveged
systemctl start haveged
systemctl enable haveged
rm -fr /etc/pacman.d/gnupg
pacman-key --populate archlinux