PGP signatures verification failure

[boris-petrov]

When I try to install the package otf-inconsolata-lgc from AUR, I get the following output:

...
==> Verifying source file signatures with gpg...
    inconsolata-lgc.tar.bz2 ... FAILED
==> ERROR: One or more PGP signatures could not be verified!
...

However it works fine when I build the package manually via makepkg -s. I've imported all keys and done everything needed. Am I doing something wrong or is this a bug?

[oshazard]

It's a bug in apacman, verified by another user related to root owning the aurbuild user's directory.

I can't say I'm too happy though with the precedent that AUR packages are being signed with PGP keys, this is going to lead to trusting a lot of signed packages from random maintainers.

I've been using --skipinteg to get around this issue but this fix is going to require refactoring a lot of the code which I don't have time for right now.

[oshazard]

@boris-petrov This should be fixed in version 1.7 (7537663a) though more testing is needed to confirm.

[oshazard]

Definitely fixed in 1.8-2 (39f66df3b9be8a3c108f7b4251b51fb6ed1d693f)