Package Details: spotify-stable

Git Clone URL: (read-only)
Package Base: spotify-stable
Description: A proprietary music streaming service
Upstream URL:
Licenses: custom
Conflicts: spotify
Provides: spotify
Submitter: NicoHood
Maintainer: NicoHood
Last Packager: NicoHood
Votes: 43
Popularity: 4.814690
First Submitted: 2017-05-20 09:24
Last Updated: 2018-12-17 16:33

Pinned Comments

NicoHood commented on 2017-05-20 09:30

Please upvote this topic if you wish to have spotify in the official ArchLinux [community] repository:

This package uses the stable branch of spotify and additional GPG checks for better security. It is properly installed inside /opt/spotify.

Build and install with:
gpg --keyserver hkps:// --recv-keys 0DF731E45CE24F27EEEB1450EFDC8610341D9410
sudo pacman -S --needed devtools
sudo pacman -U spotify-stable-*.pkg.tar.gz

Latest Comments

1 2 3 4 5 Next › Last »

NicoHood commented on 2019-01-15 16:59

They changed the key again!? It seems to be the old one. Maybe it is true that the other one was compromised? How can they change the keys so quickly!?

I assume that its just bad project management...

harrybeadle commented on 2019-01-13 15:24

The PGP key is now 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90

NicoHood commented on 2018-11-27 20:15

I have noticed an error that Spotify connect does not work if two linux PCs have the same home directory. If you are also annoyed by this bug or just want to help spotify take more care of the linux bugs, please comment and rate the following post in the spotify forum:

eq891 commented on 2018-11-01 15:27

I know you took AWhetter's PKGBUILD as a base, but you refined it very well. There are 2 repository sources, 1 http, the other https. HTTPs would be better I guess?

No idea why there are pool and dists directories. Also it would be great to have the latest version from the https source, but AWhetter only uses http and not as refined PKGBUILD as you have. :/

edit: dist is probably the directory for checksums

NicoHood commented on 2018-10-27 18:06

Just an update after hours and hours of debugging:

The problem was the DNS server of my ISP (Unity Media, Germany). It made the feature completely broken. I used as manual dns instead.

NicoHood commented on 2018-10-27 11:09

I've got a problem with spotify connect and would like to ask here if anyone has the same issue.

Spotify connect does not find my other PC that is playing music (all pcs have archlinux as os). The weird thing is, that my laptop does find the music. I did a backup of this OS and restored it, but the backup fails to find spotify connect instances. Even a complete new install does not find the devices.

The weird thing is, that even on the (still working) laptop I deleted all caches and configs of spotify, but it still works. I've updated all kernels, I tested the discs in different computers (with different macs). I even tried to use different usernames. I also logged out all devices from the spotify web interface. And of course I tried tons of reboots and a router restart.

Has anyone a tip for my problem?

Blackbot commented on 2018-10-08 11:21

While NicoHood already changed the PGP signature in the PKGBUILD, if you are hesitant because of the changed PGP signature write an email to Spotify support. I received an answer (after over 3 weeks...) that they indeed changed the PGP key themselves (and are looking into how to avoid this problem in the future - if this means anything remains to be seen).

They still did not acknowledge the change publicly anywhere and I doubt this will change.

polyzen commented on 2018-09-17 14:13

You could drop signature verification without modifying the pkgbuild by using --skippgpcheck.

egrupled commented on 2018-09-17 14:04

@eschwartz There are two options:

  1. Spotify servers were beached, someone uploaded fake signatures and blocked spotify developers from extending the original key. All of this is still unnoticed after couple of weeks.

  2. Spotify developers changed the key themselves.

If you think the 1 is more probable then you should report critical security issue to asap.

If you think 2 is more probable but also that spotify developers key handling isn't trustworthy then you should drop signature verification or drop this package.

Leaving this as it is - in broken not installable without manual PKGBUILD modification state is useless for users.

eschwartz commented on 2018-09-14 11:26


BTW: It's pretty clear that the old key expired and they created new one. No need to make internet drama out of this. You did great job maintaining this, please move on.

The usual, expected solution is to edit the key to extend its expiration date. Creating a new key is and should be alarming, as it completely overrides the initial point of using PGP at all. I agree with NicoHood that it is suspicious.