I just got around to updating my rarely used desktop. Everything went well until the package signature verification step, which failed with one specific package:
error: nvidia-utils: signature from "CachyOS <admin@cachyos.org>" is invalid
:: File /var/cache/pacman/pkg/nvidia-utils-570.86.16-3-x86_64_v3.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
I’ve tried refreshing keyrings and re-ranking mirrors, but neither of these helped. Out of curiosity, I’ve compared the package itself to that in my (much more regularly updated) laptop’s package cache, and it appears that it was recently (February 27th) rebuilt. Additionally, the problem now also can be reproduced on the laptop as well, after manually removing corresponding package from the package cache to make pacman download the new version.
SHA256 sum of the old package from laptop cache: 4fa2099352f8064e69502c652a70939569fc69a63778bd8678ca9f1939fc8b30
SHA256 sum of the new package that fails to verify: dedceed8436b63802037e30c286bfe598af7a3c4bf02f9476b03abbd38b8ed6d