Package Details: spotify-stable

Git Clone URL: (read-only)
Package Base: spotify-stable
Description: A proprietary music streaming service
Upstream URL:
Licenses: custom
Conflicts: spotify
Provides: spotify
Submitter: NicoHood
Maintainer: NicoHood
Last Packager: NicoHood
Votes: 34
Popularity: 2.715554
First Submitted: 2017-05-20 09:24
Last Updated: 2018-09-22 21:17

Pinned Comments

NicoHood commented on 2017-05-20 09:30

Please upvote this topic if you wish to have spotify in the official ArchLinux [community] repository:

This package uses the stable branch of spotify and additional GPG checks for better security. It is properly installed inside /opt/spotify.

Build and install with:
gpg --keyserver hkps:// --recv-keys 0DF731E45CE24F27EEEB1450EFDC8610341D9410
sudo pacman -S --needed devtools
sudo pacman -U spotify-stable-*.pkg.tar.gz

Latest Comments

1 2 3 4 5 Next › Last »

Blackbot commented on 2018-10-08 11:21

While NicoHood already changed the PGP signature in the PKGBUILD, if you are hesitant because of the changed PGP signature write an email to Spotify support. I received an answer (after over 3 weeks...) that they indeed changed the PGP key themselves (and are looking into how to avoid this problem in the future - if this means anything remains to be seen).

They still did not acknowledge the change publicly anywhere and I doubt this will change.

polyzen commented on 2018-09-17 14:13

You could drop signature verification without modifying the pkgbuild by using --skippgpcheck.

egrupled commented on 2018-09-17 14:04

@eschwartz There are two options:

  1. Spotify servers were beached, someone uploaded fake signatures and blocked spotify developers from extending the original key. All of this is still unnoticed after couple of weeks.

  2. Spotify developers changed the key themselves.

If you think the 1 is more probable then you should report critical security issue to asap.

If you think 2 is more probable but also that spotify developers key handling isn't trustworthy then you should drop signature verification or drop this package.

Leaving this as it is - in broken not installable without manual PKGBUILD modification state is useless for users.

eschwartz commented on 2018-09-14 11:26


BTW: It's pretty clear that the old key expired and they created new one. No need to make internet drama out of this. You did great job maintaining this, please move on.

The usual, expected solution is to edit the key to extend its expiration date. Creating a new key is and should be alarming, as it completely overrides the initial point of using PGP at all. I agree with NicoHood that it is suspicious.

egrupled commented on 2018-09-11 23:13

@Tblue maintainer knows this but refused to update the key until spotify developers explicitly confirm this key is theirs which mean never.

BTW: everything is in the comments below already.

Tblue commented on 2018-09-11 08:52

Spotify's GPG key has changed to 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90, as can be seen here:

The "validpgpkeys" option in the PKGBUILD has to be changed to look like this:


metbril commented on 2018-09-02 14:51

I have added the new key with the command

sudo gpg --keyserver -- receive-keys 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90

but then the installer complains about an unknown public key A87FF9DF48BF1C90

That can only be add by first removing the other one. This is when I get into an eternal loop; I can only add one or the other. Although it should be the same key...

NicoHood commented on 2018-08-28 20:32

@bjo please see

egrupled commented on 2018-08-28 18:16

@bjo you have to change the key here:

I hope @NicoHood will reconsider and update PKGBUILD.

bjo commented on 2018-08-28 18:02

I'm still getting

==> Verifying source file signatures with gpg...
    spotify-stable- ... FAILED (invalid public key 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90)
==> ERROR: One or more PGP signatures could not be verified!

though I imported 931FF8E79F0876134EDDBDCCA87FF9DF48BF1C90