With the addition of pgp key checking in Yay, the srcinfo parsing was
moved to before the pkgver() bump, leading to outdated pkgbuild
information.
Srcinfo parsing must be done after the pkgver() bump
The pkgver() bump must be done after downloading sources
makepkg's PGP checking is done as the sources download
yays PGP importing requires the srcingo to be parsed
Quite the chicken and egg problem
It is possible to skip the integ checks after the sources download
then parse the srcinfo
do the yay PGP check
then run the integ checks
the problem here is that to generate the srcinfo `makepkg --printsrcingo` is ran
This causes the pkgbuild to be sourced which I am not comftable with
doing without the integ checks.
Instead we parse the on disk .SRRCINFO that downloads with the PKGBUILD
just for the PGP checking. Later on we parse a fresh srcinfo straight
from `makepkg --printsrcingo`. This is a little bit less efficient but
more secure than the other option.
When building a package from the AUR for which there are missing keys,
yay will now prompt the user whether it should try to import such keys
using gpg:
[...]
:: Parsing SRCINFO (1/3): libc++ (libc++abi libc++)
:: Parsing SRCINFO (2/3): aurutils
:: Parsing SRCINFO (3/3): cower
==> GPG keys need importing:
487EACC08557AD082088DABA1EB2638FF56C0C53, required by: cower
11E521D646982372EB577A1F8F0871F202119294, required by: libc++ (libc++abi libc++)
B6C8F98282B944E3B0D5C2530FC3042E345AD05D, required by: libc++ (libc++abi libc++)
DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A, required by: aurutils
==> Import? [Y/n]
[...]
Default is to try to import the problematic keys ([Y/n]).
