Upstream doesn't sign most commits anymore, so GPG signature check is disabled. They still sign every tag. Packages in the official repos package tags. You can check signatures with the following commands:
$ git log --format=raw --show-signature main
$ git tag -v $(git tag)
Pinned Comments
MRWITEK commented on 2023-12-20 12:42 (UTC)
Upstream doesn't sign most commits anymore, so GPG signature check is disabled. They still sign every tag. Packages in the official repos package tags. You can check signatures with the following commands:
gbin commented on 2022-03-02 17:58 (UTC) (edited on 2022-03-02 18:07 (UTC) by gbin)
edit: found my problem the key server it could be useful for other people.
The default port is an high port and your ISP might filter it out!
use :80 in the ubuntu one and it should work:
MRWITEK commented on 2020-04-08 14:47 (UTC) (edited on 2022-12-15 12:15 (UTC) by MRWITEK)
https://wiki.archlinux.org/title/Arch_User_Repository#ERROR%3A_One_or_more_PGP_signatures_could_not_be_verified%21%3B_what_should_I_do%3F
https://wiki.archlinux.org/title/PKGBUILD#validpgpkeys
https://wiki.archlinux.org/title/Makepkg#Signature_checking
https://wiki.archlinux.org/title/Arch_User_Repository#What_is_the_difference_between_foo_and_foo-git_packages%3F