cannot verify signature of mkinitcpio-30-2.parabola2-any (and some packages either)
tyawp - over 2 years ago -
pacman-key cannot verify the signature of mkinicpio (https://www.parabola.nu/packages/libre/x86_64/mkinitcpio/) because it is signed with an expired subkey of Bill Auger.
# pacman-key -v mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig ==> Checking mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig... (detached) gpg: Signature made Sat Nov 6 11:41:54 2021 KST gpg: using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778 gpg: Good signature from "bill-auger <bill-auger@peers.community>" [full] gpg: aka "bill-auger <mr.j.spam.me@gmail.com>" [full] gpg: aka "bill-auger <bill-auger@programmer.net>" [full] gpg: aka "[jpeg image of size 6017]" [full] gpg: Note: This key has expired! Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9 7989 25DB 7D9B 5A8D 4B40 Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7 2853 9087 1091 3E8C 7778 ==> ERROR: The signature identified by mkinitcpio-30-2.parabola2-any.pkg.tar.zst.sig could not be verified.
This issue is also related with the topic: https://labs.parabola.nu/boards/5/topics/1109
linux-libre-api-header has bad signature too.
# pacman-key -v linux-libre-api-headers-5.8.13_gnu-2-x86_64.pkg.tar.xz.sig ==> Checking linux-libre-api-headers-5.8.13_gnu-2-x86_64.pkg.tar.xz.sig... (detached) gpg: Signature made Tue Nov 17 13:44:58 2020 KST gpg: using RSA key 782F9DDBE36BA7F3D4DE49065F5DFCC14177E263 gpg: Good signature from "Denis 'GNUtoo' Carikli <GNUtoo@makefreedom.org>" [unknown] gpg: aka "Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>" [unknown] gpg: aka "Denis 'GNUtoo' Carikli <GNUtoo@no-log.org>" [unknown] gpg: aka "Denis 'GNUtoo' Carikli <GNUtoo@riseup.net>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: FB31 DBA3 AB8D B76A 4157 329F 7651 568F 8037 4459 Subkey fingerprint: 782F 9DDB E36B A7F3 D4DE 4906 5F5D FCC1 4177 E263 ==> ERROR: The signature identified by linux-libre-api-headers-5.8.13_gnu-2-x86_64.pkg.tar.xz.sig could not be verified.
mkinitcpio-30-2.parabola2-any is signed with 0x908710913E8C7778 and it was expired at 2020-12-31T21:08:21Z according to http://pgp.cyberbits.eu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x908710913E8C7778
linux-libre-api-headers-5.8.13_gnu-2-x86_64 is signed with 0x5F5DFCC14177E263 and it was expired at 2021-08-19T07:26:03Z according to http://pgp.cyberbits.eu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x5F5DFCC14177E263
and it isn't trusted with GPG trustdb. (probably because nobody on parabola-keyring signs on Carikli's key.)
Please renew the keys on keyservers or sign packages with a key that isn't expired.