I’ve been using LibreWolf as a browser for quite some time. Since last week, when I try to update the package using “yay --aur”, I get the following error:
librewolf-150.0.3-1-linux-x86_64-package.tar.xz … FAILED (unknown public key 915585A1C36690B1)
I’m guessing the keys changed. I know I can import the new public key using the procedure listed in the forum post below:
But I guess my question is why would the key change? Isn’t that weird and suspicious? Does it mean a maintainer changed?
It’s just weird and if anyone can offer insight, I’d be interested in learning a little more.
The key expired and they simply forgot to update it in time. You can make a key that never expires, but a lot of security focused projects such as librewolf rotate their keys every now and then.
Its not the first time they have rotated their key and it won’t be the last.
Edit: You can always check that the new key matches what is on their website.
Scroll down to the section that talks about importing the gpg key.