From 5b1db1925afce37f5d91fc6e061289ddd42c4ee3 Mon Sep 17 00:00:00 2001
From: Philipp Sauter <46172817+sauterp@users.noreply.github.com>
Date: Mon, 2 Oct 2023 15:02:27 +0200
Subject: [PATCH] aur releases: skip pgp check (#547)

# Description
Both [AUR releases for signed
packages](https://github.com/exoscale/cli/actions/runs/6349777603/job/17248953628)
failed during the pgp verification:
```shell
==> Verifying source file signatures with gpg...
    exoscale-cli_1.74.0.tar.gz ... FAILED (unknown public key 03686F8CDE378D41)
==> ERROR: One or more PGP signatures could not be verified!
```

I wasn't able to reproduce the issue locally with low effort. I'm able
to run makepkg in an archlinux container with no issue. I verified that
the public key is not present before I run `makepkg` and that it is
present afterwards. This means makepkg must contact keyservers in the
background to receive the keys. This can fail for a number of reasons,
like keyservers not being available, networking or bugs in the gpg
version provided by the GH action runner. Even if we fix it, it might
bite us again if the default keyserver is down, which does happen
unfortunately.
I concluded that fixing this check is not worth it, since the check
happens anyway when the user installs the package unless they explicitly
disable it. We are verifying a signature that we created in a previous
step of the same workflow and have no strong reason to distrust it.

---------

Co-authored-by: Philipp Sauter <philipp.sauter@exoscale.ch>
---
 .github/workflows/release.yml | 2 +-
 CHANGELOG.md                  | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2310581c..adde515c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -103,7 +103,7 @@ jobs:
                 sed -i "/^sha256sums=/s/.*/sha256sums=\('$checksum'/" PKGBUILD
               fi
 
-              makepkg
+              makepkg --skippgpcheck
 
               makepkg --printsrcinfo >.SRCINFO
               git add PKGBUILD .SRCINFO
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1719b4fb..3e69ac0f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## UNRELEASED
+
+- aur releases: skip pgp check #547
+
 ## 1.74.0
 
 - publish cli releases as scoop packages #546