`swiftly self-update` fails with GPG verification error due to missing keys

[dfrancour]

Problem

Running swiftly self-update fails with Error: Signature verification failed: RunProgramError(exitCode: 2, program: "gpg") after successfully downloading the new version (1.1.0).

This occurs because Swiftly attempts to verify the signature but Swift.org's public GPG keys are not available in the user's keyring - and Swiftly never imports them.

Reproduction Script

#!/bin/bash
# Minimal Swiftly self-update GPG failure repro

set -e

podman run --rm -i ubuntu:22.04 bash << 'EOF'
set -e

# Install dependencies
echo "> Installing dependencies..."
apt-get update -qq
apt-get install -y -qq curl gnupg2 tar > /dev/null 2>&1

# Temporary GPG home
export GNUPGHOME="$(mktemp -d)"

# Download Swiftly
echo ""
echo "> Downloading Swiftly..."
SWIFTLY_VERSION="1.0.1"
SWIFTLY_URL="https://download.swift.org/swiftly/linux/swiftly-${SWIFTLY_VERSION}-$(uname -m).tar.gz"
mkdir -p .swiftly/bin
curl -fsSL "$SWIFTLY_URL" -o swiftly.tar.gz
tar -xzf swiftly.tar.gz -C .swiftly/bin
chmod +x .swiftly/bin/swiftly
rm swiftly.tar.gz
echo "Swiftly downloaded"

# Initialize Swiftly (creates ~/.local/share/swiftly)
echo ""
echo "> Initializing Swiftly..."
.swiftly/bin/swiftly init --no-modify-profile --skip-install --assume-yes
echo "Swiftly initialized"

# Source the env.sh created by init so swiftly is in PATH
. "/root/.local/share/swiftly/env.sh"

# Attempt self-update (this reproduces the GPG verification failure)
echo ""
echo "> Attempting self-update..."
swiftly self-update --assume-yes
EOF

Script Output

➜  ~ ./swiftly_issue_reproduction.sh
> Installing dependencies...

> Downloading Swiftly...
Swiftly downloaded

> Initializing Swiftly...
Installing swiftly in /root/.local/share/swiftly/bin/swiftly...
Creating shell environment file for the user...
To begin using installed swiftly from your current shell, first run the following command:

# Added by swiftly
. "/root/.local/share/swiftly/env.sh"

Swiftly initialized

> Attempting self-update...
Checking for swiftly updates...
A new version is available: 1.1.0
Downloading swiftly 1.1.0
23%: Downloaded 6.3 MiB of 26.4 MiB
72%: Downloaded 19.1 MiB of 26.4 MiB
100%: Downloaded 26.4 MiB of 26.4 MiB
Error: Signature verification failed: RunProgramError(exitCode: 2, program: "gpg").
Verifying toolchain signature...
➜  ~

[cmcgee1024]

Thank you for reporting the bug. This is happening because the GPG signatures are added to the keychain only when a toolchain is installed. It should do the same when installing swiftly.