Failed to verify signature archive-contents.sig in Emacs
November 14, 2025
In the evening, when I wanted to upgrade packages in Aquamacs, an
Emacs for macOS, I was greeted with the following error message
(reformatted for clarity) after I did a M-x package-refresh-contents:
Failed to verify signature archive-contents.sig:
No public key for 645357D2883A0966 created at 2025-11-14T11:05:15+0100
using (unknown algorithm 22)
Command output:
gpg: Signature made Fri Nov 14 11:05:15 2025 CET
gpg: using EDDSA key 0327BE68D64D9A1A66859F15645357D2883A0966
gpg: Can't check signature: No public key
I was able to fix this using the following by disabling signature
checking, updating the refreshing the package list, installing
gnu-elpa-keyring-update, and finally setting signature checking back
to its default value as follows:
M-: (setq package-check-signature nil) RET
M-x package-refresh-contents
M-x package-install RET gnu-elpa-keyring-update RET
M-: (setq package-check-signature 'allow-unsigned) RET
It turned out that there where 5 packages could be upgraded. So I
pressed ⇧U to select them followed by M-x occur RET ^I RET. This
showed the five packages ready to be upgraded. I used X to install
the five packages. However, this resulted in yet another error
(reformatted for clarity) after installing two packages successfully:
Failed to verify signature let-alist-1.0.6.tar.sig:
Good signature from 645357D2883A0966 GNU ELPA Signing Agent (2023)
<elpasign@elpa.gnu.org> (trust undefined) created at 2024-03-31T11:35:04+0200
using (unknown algorithm 22)
Signature made by expired key 066DAFCB81E42C40 GNU ELPA Signing Agent (2019)
<elpasign@elpa.gnu.org>
Command output:
gpg: Signature made Sun Mar 31 11:35:04 2024 CEST
gpg: using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
gpg: Good signature from "GNU ELPA Signing Agent (2019)
<elpasign@elpa.gnu.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: C433 5547 66D3 DDC6 4221 BFAA 066D AFCB 81E4 2C40
gpg: Signature made Sun Mar 31 11:35:04 2024 CEST
gpg: using EDDSA key 0327BE68D64D9A1A66859F15645357D2883A0966
gpg: Good signature from "GNU ELPA Signing Agent (2023) <elpasign@elpa.gnu.org>"
[unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AC49 B8A5 FDED 6931 F40E E78B F993 C037 86DE 7ECA
Subkey fingerprint: 0327 BE68 D64D 9A1A 6685 9F15 6453 57D2 883A 0966
The culprit was let-alist so I decided to not upgrade that package
until I have figured out how to fix the above issue. I did this by
pressing ⇧U again and removing the mark from let-alist by pressing
U. After this X did an upgrade of the two other packages.