signal-desktop signature from kpcyrd unknown

hoschi · 2025-10-05 11:48:52

Hello!
Today pacman -Syu printed this message:

(545/545) checking package integrity
error: signal-desktop: signature from "kpcyrd <git@rxv,cc>" is unknown trust
    File /var/cache/pacmang/pkg/signal-desktop-7.73.0-1-x86_64.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).

I remember vaguely that this comes with a prompt asking to manually import the key, if my archlinux-keyring isn't already containing it. So I checked the maintainer list and kpcyrd seems new. I noticed that Gitlab also isn't able to verify this maintainer. So I got careful and set `IgnorePkg = signal-desktop`.

Questions

Is my memory about the prompt for manual import wrong?
Why is the signature unverified on Gitlab?

I think the archlinux-keyring *20250929-1* is containing the key now:

$ pacman-key --list-keys
...
pub   rsa4096 2018-10-16 [SC] [expires: 2028-09-15]
      64B13F7117D6E07D661BBCE0FE763A64F5E54FD6
uid           [marginal] kpcyrd <git@rxv.cc>
uid           [  full  ] kpcyrd <kpcyrd@archlinux.org>
sub   rsa4096 2019-02-07 [S] [expires: 2028-09-15]
sub   rsa4096 2018-10-16 [E] [expires: 2028-09-15]
...

Thanks

Last edited by hoschi (2025-10-05 11:49:52)

mithrial · 2025-10-05 11:53:00

I can only answer the first question. The question about importing new certificates is only for AUR packages.

I just tested and I do not get that error. You could update the keyrings before this fairly large update.

Last edited by mithrial (2025-10-05 11:54:44)

gromit · 2025-10-05 16:54:33

Does it work if you update the keyring first?

$ sudo pacman -Sy archlinux-keyring && sudo pacman -Su

Also it verifies just fine here, so if the above does not help maybe you need to redownload the package?

pacman-key --verify /var/cache/pacman/pkg/signal-desktop-7.73.0-1-x86_64.pkg.tar.zst.sig 
==> Checking /var/cache/pacman/pkg/signal-desktop-7.73.0-1-x86_64.pkg.tar.zst.sig... (detached)
gpg: Signature made Thu 02 Oct 2025 06:19:42 PM CEST
gpg:                using RSA key 33EBB8A8E1C5653645B1232A45A650E2638C536D
gpg: Note: trustdb not writable
gpg: Good signature from "kpcyrd <git@rxv.cc>" [marginal]
gpg:                 aka "kpcyrd <kpcyrd@archlinux.org>" [full]

hoschi · 2025-10-05 18:59:02

Thank you. It works with the current [m]archlinux-keyring 20250929-1[/m].

So the remaining question is, why the Gitlab server isn't happy. Probably same issue on server-side?

gromit · 2025-10-05 19:22:35

The key verification on the server side does not incoporate the trust information from archlinux-keyring, it's up for each maintainer to add their GPG key to their profile (and not many do so)... It has no security implications, it's just a UX issue.

cryptearth · 2025-10-05 20:16:49

I don't understand much of pgp - but isn't it similar to pki: it's trusting the key
so how can two e-mails under the same key have different trust levels?
this this another of GnuPGs quirks or is it part of the OpenPGP standard?

Arch Linux

#1 2025-10-05 11:48:52

signal-desktop signature from kpcyrd unknown

#2 2025-10-05 11:53:00

Re: signal-desktop signature from kpcyrd unknown

#3 2025-10-05 16:54:33

Re: signal-desktop signature from kpcyrd unknown

#4 2025-10-05 18:59:02

Re: signal-desktop signature from kpcyrd unknown

#5 2025-10-05 19:22:35

Re: signal-desktop signature from kpcyrd unknown

#6 2025-10-05 20:16:49

Re: signal-desktop signature from kpcyrd unknown

Board footer