AUR - Package fails to verify PGP/GPG key

[marcellbarsony]

Issue

AUR package fails to verify PGP/GPG key during install

llvm-5.0.1.src.tar.xz … FAILED (unknown public key 8F0871F202119294)

Details

Many AUR packages contain lines to enable validating downloaded packages though the use of a PGP key. This establishes a level of trust between the software author and anyone who downloads the software - if you trust the key, and the download validates against the key, then you can trust the download.

Pacman has its own keyring for system packages in the repos. This means pacman will trust Manjaro and Arch packager keys.

Your user starts with an empty keyring. That is, you trust no one's keys. When you run makepkg you run it as your normal user, so if the PKGBUILD file contains a PGP key validation will fail because you don't trust the key - you have to import the key into your keyring first.

gpg --recv-key $KEYID

If validation still fails then the file is either invalid or the keyserver cannot locate the key.

Keyserver

To try a different server, you’ll use the --keyserver flag. Example:

gpg --keyserver pgp.mit.edu --recv-key 8F0871F202119294

Example Keyservers

• pgp.mit.edu
• keyserver.pgp.com 96
• keys.openpgp.org

[marcellbarsony]

Solution

Add the PGP/GPG key to the user's keyring

gpg --recv-key 8F0871F202119294