yay imports new PGP key after failed signature check

[drws]

Affected Version

yay v12.0.4 - libalpm v13.0.2

Describe the bug

When installing an AUR package that needs importing of a new PGP key, yay/pacman fails the signature checking at first (because of a missing key), but then continues on with the installation (regardless of an integrity error) and only then imports the relevant PGP key, successfully builds the package and installs it.

Reproduction Steps

1. Run yay -Syu ffmpeg-headless (for example)
2. yay downloads the PKGBUILD, processes it and starts making package
3. It fails in the source verification step - see Output below

Expected behavior

PGP key importing is done before any integrity checks.

Output

$ yay -Syu ffmpeg-headless
...
==> Verifying source file signatures with gpg...
    ffmpeg git repo ... FAILED (unknown public key B18E8928B3948D64)
==> ERROR: One or more PGP signatures could not be verified!
 -> error downloading sources: .../yay/build/ffmpeg-headless
         context: error downloading sources: .../yay/build/ffmpeg-headless
         context: exit status 1

:: Remove make dependencies after install? [y/N]
:: (1/1) Parsing SRCINFO: ffmpeg-headless
gpg: error reading key: No public key

:: PGP keys need importing:
 -> DD1EC9E8DE085C629B3E1846B18E8928B3948D64, required by: ffmpeg-headless
:: Import? [Y/n]
:: Importing keys with gpg...
gpg: key B18E8928B3948D64: public key "Michael Niedermayer (key used for git commits) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
resolving dependencies...
looking for conflicting packages...

(installation succeeds afterwards)

[kragebein]

Yeah, i see the same issue.
yay v12.1.0.r10.g93afb03 - libalpm v13.0.2

`yay -S wlr-randr
AUR Explicit (1): wlr-randr-0.3.0-1
:: (1/1) Downloaded PKGBUILD: wlr-randr
1 wlr-randr (Build Files Exist)
==> Packages to cleanBuild?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==>
1 wlr-randr (Build Files Exist)
==> Diffs to show?
==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4)
==>
==> Making package: wlr-randr 0.3.0-1 (Wed 05 Jul 2023 05:58:37 PM UTC)
==> Retrieving sources...
-> Downloading wlr-randr-0.3.0.tar.gz...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12471 0 12471 0 0 7742 0 --:--:-- 0:00:01 --:--:-- 7741
-> Downloading wlr-randr-0.3.0.tar.gz.sig...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 566 0 566 0 0 623 0 --:--:-- --:--:-- --:--:-- 623
==> Validating source files with sha256sums...
wlr-randr-0.3.0.tar.gz ... Passed
wlr-randr-0.3.0.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
wlr-randr-0.3.0.tar.gz ... FAILED (unknown public key 0FDE7BE0E88F5E48)
==> ERROR: One or more PGP signatures could not be verified!
-> error downloading sources: /home/krage/.cache/yay/wlr-randr
context: exit status 1

:: (1/1) Parsing SRCINFO: wlr-randr
gpg: error reading key: No public key

:: PGP keys need importing:
-> 34FF9526CFEF0E97A340E2E40FDE7BE0E88F5E48, required by: wlr-randr
:: Import? [Y/n]
:: Importing keys with gpg...
gpg: key 0FDE7BE0E88F5E48: 1 duplicate signature removed
gpg: key 0FDE7BE0E88F5E48: public key "Simon Ser [email protected]" imported
gpg: Total number processed: 1
gpg: imported: 1
==> Making package: wlr-randr 0.3.0-1 (Wed 05 Jul 2023 05:58:43 PM UTC)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Found wlr-randr-0.3.0.tar.gz
-> Found wlr-randr-0.3.0.tar.gz.sig
==> Validating source files with sha256sums...
wlr-randr-0.3.0.tar.gz ... Passed
wlr-randr-0.3.0.tar.gz.sig ... Skipped
==> Verifying source file signatures with gpg...
wlr-randr-0.3.0.tar.gz ... Passed
==> Removing existing $srcdir/ directory...
==> Extracting sources...
-> Extracting wlr-randr-0.3.0.tar.gz with bsdtar
==> Sources are ready.
==> Making package: wlr-randr 0.3.0-1 (Wed 05 Jul 2023 05:58:44 PM UTC)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> WARNING: Using existing $srcdir/ tree
==> Starting build()...

• exec meson setup --prefix /usr --libexecdir lib --sbindir bin --buildtype plain --auto-features enabled --wrap-mode nodownload -D b_lto=true -D b_pie=true wlr-randr-0.3.0 build
  The Meson build system
  Version: 1.1.1
  Source dir: /home/krage/.cache/yay/wlr-randr/src/wlr-randr-0.3.0
  Build dir: /home/krage/.cache/yay/wlr-randr/src/build
  Build type: native build
  Project name: wlr-randr
  Project version: 0.3.0
  C compiler for the host machine: cc (gcc 13.1.1 "cc (GCC) 13.1.1 20230429")
  C linker for the host machine: cc ld.bfd 2.40.0
  Host machine cpu family: x86_64
  Host machine cpu: x86_64
  Compiler for C supports arguments -Wundef: YES
  Compiler for C supports arguments -Wlogical-op: YES
  Compiler for C supports arguments -Wmissing-include-dirs: YES
  Compiler for C supports arguments -Wold-style-definition: YES
  Compiler for C supports arguments -Wpointer-arith: YES
  Compiler for C supports arguments -Winit-self: YES
  Compiler for C supports arguments -Wfloat-equal: YES
  Compiler for C supports arguments -Wstrict-prototypes: YES
  Compiler for C supports arguments -Wredundant-decls: YES
  Compiler for C supports arguments -Wimplicit-fallthrough=2: YES
  Compiler for C supports arguments -Wendif-labels: YES
  Compiler for C supports arguments -Wstrict-aliasing=2: YES
  Compiler for C supports arguments -Woverflow: YES
  Compiler for C supports arguments -Wformat=2: YES
  Compiler for C supports arguments -Wno-missing-braces: YES
  Compiler for C supports arguments -Wno-missing-field-initializers: YES
  Compiler for C supports arguments -Wno-unused-parameter: YES
  Found pkg-config: /usr/bin/pkg-config (1.8.1)
  Run-time dependency wayland-client found: YES 1.22.0
  Library m found: YES
  Program wayland-scanner found: YES (/usr/bin/wayland-scanner)
  Build targets in project: 2

wlr-randr 0.3.0

User defined options
auto_features: enabled
buildtype : plain
libexecdir : lib
prefix : /usr
sbindir : bin
wrap_mode : nodownload
b_lto : true
b_pie : true

Found ninja-1.11.1 at /usr/bin/ninja
INFO: autodetecting backend as ninja
INFO: calculating backend command to run: /usr/bin/ninja -C /home/krage/.cache/yay/wlr-randr/src/build
ninja: Entering directory /home/krage/.cache/yay/wlr-randr/src/build' [7/7] Linking target wlr-randr ==> Entering fakeroot environment... ==> Starting package()... ninja: Entering directory /home/krage/.cache/yay/wlr-randr/src/build'
ninja: no work to do.
Installing wlr-randr to /home/krage/.cache/yay/wlr-randr/pkg/wlr-randr/usr/bin
==> Tidying install...
-> Removing libtool files...
-> Purging unwanted files...
-> Removing static library files...
-> Stripping unneeded symbols from binaries and libraries...
-> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "wlr-randr"...
-> Generating .PKGINFO file...
-> Generating .BUILDINFO file...
-> Generating .MTREE file...
-> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: wlr-randr 0.3.0-1 (Wed 05 Jul 2023 05:58:45 PM UTC)
==> Cleaning up...
loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) wlr-randr-0.3.0-1

Total Installed Size: 0.03 MiB

:: Proceed with installation? [Y/n] '
-> error installing: [/home/krage/.cache/yay/wlr-randr/wlr-randr-0.3.0-1-x86_64.pkg.tar.zst] - exit status 1
❯`

[Jguer]

#2239 should fix this by only checking gpg signature after the import.