Yo! It seems like gnupg 2.3.1-1 was built and pushed to [testing] briefly before being removed. The reason from the removal is because there are changes to how gnupg verifies signatures that depends on the key UIDs being properly signed.
In the case of my key, "foxbo...@archlinux.org" is of marginal trust while "mor...@linderud.pw" is fully trusted. Since packages are signed with "--sender foxbo...@archlinux.org" gnupg cares about this trust level starting from 2.3.0-1. This results in failing signature checks if you have this package and attempt to fetch packages signed by me. Related issue: https://dev.gnupg.org/T4735 Why was this removed with no headsup? It caused a fair bit of confusion for a few people and the cause of this issue isn't very clear when packaged fail to verify. Ideally we should have pushed gnupg with an epoch? To testers: The best course of action is to downgrade the gnupg package to 2.2.27-1 from the package archive or your local package cache. https://archive.archlinux.org/packages/g/gnupg/ <sidenote> gnupg is terrible :) </sidenote> -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
