The signature verification is working exactly as expected, the package
builds just fine.
za3k:
Even if the PGP verification was broken, the adequate first step would
have been to post a comment instead of filing an orphan request right away.
Also, you could have seen that PGP verification was re-enabled just a
year ago, which would hardly have been done with a key broken since
years. Maybe you aren't familiar with source verification and may want
to have a look e. g. at [1].
But all in all please kindly realize that you are only wasting other
people's time by taking actions like this.
[1] https://wiki.archlinux.org/title/Makepkg#Signature_checking
