Package: archlinux-keyring
Version: 0~20251116-1
Severity: important
Hello Michel,
the archlinux-keyring snapshot currently in unstable/testing (0~20251116-1,
and likewise 0~20250430-1 in trixie) contains an expired copy of an Arch
Linux packager key, which breaks signature verification of current Arch
packages with pacman on Debian.
David Runge's packager key
pub ed25519 2022-05-10 [SC] [expired: 2026-05-09]
991F6E3F0765CF6295888586139B09DA5BF0D338
uid David Runge <[email protected]>
expired on 2026-05-09. Upstream extended its validity to 2030-01-08 in
archlinux-keyring release 20260420, but that has not been packaged yet.
As a consequence, installing any Arch package signed by that key (e.g. the
essential "filesystem" package, currently filesystem-2025.10.12-1, signed by
subkey 9B7A287D9A2EC608) fails:
checking keyring...
downloading required keys...
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
(The "missing" message is misleading; the key is present but expired, and
pacman's attempt to refresh it via WKD does not help in offline or sandboxed
environments.)
This affects users who bootstrap or maintain Arch Linux chroots/images from
Debian, e.g. with mkosi (which uses Debian's archlinux-keyring to populate
pacman's keyring when building Arch images with a Debian tools tree). The
breakage started on 2026-05-09 and will affect more packages over time as they
are re-signed.
Can you please update the package to upstream release 20260420 or later?
Since stable is affected as well (trixie ships 0~20250430-1 with the same
expired key), a stable update would also be appreciated.
Thanks!
Pitti
