@elfosardo Thanks for the hint to install using makepkg.
@oxalin thanks for the idea to sign locally; however I feel it is a hack.
For a proper fix, the VLC team should renew their rusty dusty release key.
BTW, dav1d just advanced to version 1.0.0 - though not officially released yet - but you can already download the tarball and .asc signature. And guess -- it's signed with the same old expired key.
$ LANG=C gpg --verify dav1d-1.0.0.tar.xz.asc
gpg: assuming signed data in 'dav1d-1.0.0.tar.xz'
gpg: Signature made Fr 18 Mär 2022 15:36:43 CET
gpg: using DSA key 65F7C6B4206BD057A7EB73787180713BE58D1ADC
gpg: Good signature from "VideoLAN Release Signing Key (2018)" [expired]
gpg: aka "VideoLAN Release Signing Key (2015)" [expired]
gpg: aka "VideoLAN Release Signing Key (2013)" [expired]
gpg: aka "VideoLAN Release Signing Key (2014)" [expired]
gpg: aka "VideoLAN Release Signing Key (2016)" [expired]
gpg: aka "VideoLAN Release Signing Key (2017)" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 65F7 C6B4 206B D057 A7EB 7378 7180 713B E58D 1ADC
$ echo $?
0
Fun fact: the milestone's release notes include my issue ticket 382: dav1d is signed with expired RSA key though it had been just closed without any action.
Pinned Comments
oxalin commented on 2020-05-25 15:49 (UTC) (edited on 2020-05-25 15:55 (UTC) by oxalin)
About GPG, it is up to you to import the missing public key. If you receive an error about it, this is ffmpeg's project public key. Something like the following should do the trick: gpg --recv-keys 7180713BE58D1ADC