From 10708409c277f8f60334011d92adee2b58f75c4d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hannes=20K=C3=B6rber?= <hannes@hkoerber.de>
Date: Tue, 21 Oct 2025 10:41:40 +0200
Subject: [PATCH] Update gpg keys first during autoupdate

---
 _machines/hera-tasks.yml | 5 ++++-
 maintenance.sh           | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/_machines/hera-tasks.yml b/_machines/hera-tasks.yml
index df7f54a..ad3c52e 100644
--- a/_machines/hera-tasks.yml
+++ b/_machines/hera-tasks.yml
@@ -35,7 +35,10 @@
               exit 0
           fi
 
-          pacman --sync --refresh --sysupgrade --noprogressbar --noconfirm
+          # Make sure that keys are up to date, otherwise sig checks may fail
+          pacman --sync --noprogressbar --noconfirm --refresh --needed archlinux-keyring
+
+          pacman --sync --noprogressbar --noconfirm --sysupgrade
 
     - name: Install pacman autoupdate service
       ansible.builtin.copy:
diff --git a/maintenance.sh b/maintenance.sh
index 903c41f..d79df05 100755
--- a/maintenance.sh
+++ b/maintenance.sh
@@ -3,7 +3,7 @@
 set -o nounset
 set -o errexit
 
-sudo pacman -Syu
+sudo bash -c "pacman -Sy --needed archlinux-keyring && pacman -Syu"
 
 ./update-aur-pkgs.sh