@mhogomchungu thanks for the further details. I'd suggest that users who can't accept the SHA-1 sig should use the PKGBUILD in the snapshot (https://goo.gl/UXTWvq) until you make a new release. Using the AUR is considered "advanced" usage for Arch et al., so I would expect users to be able to implement this workaround themselves. I will update this PKGBUILD when you've made a new release or if Arch also moves away from SHA-1 before a new release.
However, another option would be for you to create a new .asc signature on the old .tar.xz file, which I could swap in for the older signature temporarily. Is there something specific about your release process that prevents that from happening?
Pinned Comments
mhogomchungu commented on 2024-10-31 10:20 (UTC) (edited on 2024-11-07 15:57 (UTC) by mhogomchungu)
Those who are experiencing error in source verification, please run the following command first before building.
gpg --keyserver hkps://pgp.surf.nl --recv-keys 16E2E1ACC6F51242
<deleted-account> commented on 2017-05-17 15:52 (UTC)