I simply don’t get why people try to fix something which is not broken. The thing is:
- A maintainer decided to leave the team and also decided to revoke his key on the keyservers
- That same key is still part of our keyring without any ending of validation as we still have some packages from that person
- So not updating the keys from keyservers makes your system still work
What we did so far from our end:
All the signatures from that Maintainer got replaced by a generic one from our build-server. This means the GPG key of that maintainer normally is not needed anymore to install those packages. It is only needed if you have his already downloaded signatures in your pacman-cache. We also updated all the package databases to reflect to the new signatures.
As you can see that we are still able to create daily ISOs the only issue is having those “broken” keys still in our keyring. As soon as all packages got rebuild by a different maintainer or buildserver we can safely also remove the not needed gpg key from our keyring.