Arch Linux User Repository

@liljaylj -- this sadly sounds like a git(1) issue, but it is indeed repeatable:

% git tag -v 0.4.0
object 1e7f5fe4f3439d50d68e53fa17a86e98a93a4738
type commit
tag 0.4.0
tagger Moviuro <moviuro+git@gmail.com> 1685094977 +0200

Breaking change: mkmm will no longer remove directories that were not marked as managed by mkmm
gpg: Signature made 2023-05-26T11:56:51 CEST
gpg:                using EDDSA key 03A5D629F62B7AE323A753E0D280BD7ACDF8CE52
[...]
gpg: Note: This key has expired!
Primary key fingerprint: 2CD9 6FEE 343C 6799 B9CE  AFAD 6200 9A2E 0C22 D9AB
     Subkey fingerprint: 03A5 D629 F62B 7AE3 23A7  53E0 D280 BD7A CDF8 CE52
% echo $?
1

• The tag was created in May 2023, and signed with my then yearly subkey (03A5D629F62B7AE323A753E0D280BD7ACDF8CE52 valid from 2022-10-26T15:15:15Z until 2024-01-01T15:15:15Z)
• GnuPG considers artifacts signed before the expiration of the key to be valid: this tag should be valid.

Also, slight issue within the error message (%s).

I will reach out to git(1) devs and pacman(8) devs to discuss this.

yup, key error is back

@Moviuro, hello. i have problem building this package with makepkg.

==> Making package: mkmm 0.4.0-1 (Tue Mar 12 10:59:25 2024)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Updating mkmm git repo...
  -> Found mkmm.install
==> Validating source files with sha256sums...
    mkmm ... Skipped
    mkmm.install ... Passed
==> Verifying source file signatures with gpg...
    mkmm git repo ... %s is unable to verify the signature.
git
==> ERROR: One or more PGP signatures could not be verified!

can only build with --skippgpcheck flag

@Moviuro

pacman -Qo will tell you that no package owns the directory.

True, pacman -Qo is a fine alternative. I guess nothing needs to change.

I have not found documentation about the pkgbase file in /usr/lib/modules/*/; and it's unclear how that removal might interfere with other pieces of software (dkms?...)

I don't think any files other than *.ko are useful. Isn't the whole point of this, for the dynamic loading of modules to continue to work after an update?

@eNV25: pacman -Qo will tell you that no package owns the directory. I have not found documentation about the pkgbase file in /usr/lib/modules/*/; and it's unclear how that removal might interfere with other pieces of software (dkms?...)

An indicator that restored kernels are not from pacman would be useful. The pkgbase file could be removed, for example.

git is missing as a build dependency:

diff --git a/PKGBUILD b/PKGBUILD
index d0bbec0..1eaf953 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,6 +8,7 @@ arch=('any')
 license=('MIT')
 url="https://git.sr.ht/~moviuro/${pkgname}"
 install="${pkgname}.install"
+makedepends=('git')
 validpgpkeys=('2CD96FEE343C6799B9CEAFAD62009A2E0C22D9AB')
 # https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x62009A2E0C22D9AB
 source=("git+${url}?signed#tag=${pkgver}"

@eNV25

Indeed, problem solved with 0.2.0-2.

The issue isn't with gpg. It's that the second checksum is outdated. You need to run updpkgsums.

@Moviuro

Same error after adding the key with

% gpg --keyserver https://keyserver.ubuntu.com/ --search-keys 62009A2E0C22D9AB

I also tried saving the content of both links you mentioned to different files and adding the keys with

% gpg --import gpg_key

gpg: key 62009A2E0C22D9AB: 1 signature not checked due to a missing key
gpg: key 62009A2E0C22D9AB: public key "Moviuro (Our life is the immortals' death.) <moviuro@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

While the key is successfully imported with both files, the error persists. Not sure what's going on either.