Update with yay gives PGP warnings

whatthe · 2 January 2024 22:41

Hi,

when I update with yay:
yay -Syu

I often see this warning:
==> WARNING: Skipping verification of source file PGP signatures.

Can I just ignore it or is to smarter to, and can I somehow, turn on PGP verification?

cscs · 2 January 2024 23:12

Just a yay thing.

It kept failing on sigs …so they changed the way it works.

Quoting:

this was an intentional change due to an issue where yay would fail to verify gpg signatures if the keys need to be imported prior to source download verification (it downloads the PKGBUILD/aur files in parallel with the source files needed for the build). So the change was to disable gpg verification for the source download step and only enable it when actually building the package.

So … you can ignore it … or use something else like paru

yay imports new PGP key after failed signature check

opened 05:24PM - 17 May 23 UTC

closed 07:54AM - 10 Jul 23 UTC

drws

Type: Bug Status: Confirmed

### Affected Version yay v12.0.4 - libalpm v13.0.2 ### Describe the bug … When installing an AUR package that needs importing of a new PGP key, yay/pacman fails the signature checking at first (because of a missing key), but then continues on with the installation (regardless of an integrity error) and only then imports the relevant PGP key, successfully builds the package and installs it. ### Reproduction Steps 1. Run `yay -Syu ffmpeg-headless` (for example) 2. yay downloads the PKGBUILD, processes it and starts making package 3. It fails in the source verification step - see _Output_ below ### Expected behavior PGP key importing is done before any integrity checks. ### Output ```sh $ yay -Syu ffmpeg-headless ... ==> Verifying source file signatures with gpg... ffmpeg git repo ... FAILED (unknown public key B18E8928B3948D64) ==> ERROR: One or more PGP signatures could not be verified! -> error downloading sources: .../yay/build/ffmpeg-headless context: error downloading sources: .../yay/build/ffmpeg-headless context: exit status 1 :: Remove make dependencies after install? [y/N] :: (1/1) Parsing SRCINFO: ffmpeg-headless gpg: error reading key: No public key :: PGP keys need importing: -> DD1EC9E8DE085C629B3E1846B18E8928B3948D64, required by: ffmpeg-headless :: Import? [Y/n] :: Importing keys with gpg... gpg: key B18E8928B3948D64: public key "Michael Niedermayer (key used for git commits) <michael@niedermayer.cc>" imported gpg: Total number processed: 1 gpg: imported: 1 :: Synchronizing package databases... core is up to date extra is up to date community is up to date resolving dependencies... looking for conflicting packages... (installation succeeds afterwards) ```

system · 4 January 2024 11:12

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.