diff --git a/tests/conftest.py b/tests/conftest.py
index fc530b5..26db9af 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -167,7 +167,6 @@ def create_key_revocation(
     def decorator(decorated_func: Callable[..., None]) -> Callable[..., Any]:
         @wraps(decorated_func)
         def wrapper(working_dir: Path, *args: Any, **kwargs: Any) -> None:
-
             revocation = test_key_revocation[username][0]
 
             keyring_root: Path = working_dir / "keyring"
@@ -199,7 +198,6 @@ def create_signature_revocation(
     def decorator(decorated_func: Callable[..., None]) -> Callable[..., Any]:
         @wraps(decorated_func)
         def wrapper(working_dir: Path, *args: Any, **kwargs: Any) -> None:
-
             issuer_key: Path = test_keys[issuer][0]
             keyring_root: Path = working_dir / "keyring"
 
diff --git a/tests/test_keyring.py b/tests/test_keyring.py
index 752f04d..3f3716d 100644
--- a/tests/test_keyring.py
+++ b/tests/test_keyring.py
@@ -640,7 +640,6 @@ def test_get_packets_from_path(working_dir: Path, keyring_dir: Path, path_exists
 @mark.parametrize("path_exists", [(True), (False)])
 @patch("libkeyringctl.keyring.get_packets_from_path")
 def test_get_packets_from_listing(get_packets_from_path_mock: Mock, working_dir: Path, path_exists: bool) -> None:
-
     path = working_dir / "path"
     if not path_exists:
         assert keyring.get_packets_from_listing(path=path) == []
@@ -704,7 +703,6 @@ def test_derive_username_from_fingerprint(
     keyring_dir: Path,
     valid_fingerprint: str,
 ) -> None:
-
     username = "username"
     other_username = "other_user"
 
@@ -791,7 +789,6 @@ def test_inspect_keyring(working_dir: Path, keyring_dir: Path) -> None:
 
 
 def test_get_fingerprints_from_paths(keyring_dir: Path, valid_fingerprint: str, valid_subkey_fingerprint: str) -> None:
-
     fingerprint_dir = keyring_dir / "type" / "username" / valid_fingerprint
     fingerprint_dir.mkdir(parents=True)
     (fingerprint_dir / (fingerprint_dir.name + ".asc")).touch()
diff --git a/wkd_sync/archlinux-keyring-wkd-sync b/wkd_sync/archlinux-keyring-wkd-sync
index dccfd5b..d7d502f 100755
--- a/wkd_sync/archlinux-keyring-wkd-sync
+++ b/wkd_sync/archlinux-keyring-wkd-sync
@@ -16,9 +16,14 @@ set -eu
 readonly main_key_domain_match="@master-key.archlinux.org$"
 readonly packager_domain_match="@archlinux.org$"
 readonly homedir="$(pacman-conf GPGDir)"
+# fingerprints of keys with SHA-1 self-signatures (no longer used)
+readonly invalid_fingerprints=(
+    0F334D8698881578F65D2AE55ED514A45BD5C938  # djgera@archlinux.org
+    F4DDD6DDCEC320B665F502AAE8F18BA1615137BC  # ibiru@archlinux.org
+    EA84EA00866F51FB10CD19AE426991CD8406FFF3  # ronald@archlinux.org
+)
 
 domain_match=""
-uid=""
 gpg_locate_external=(
     # force update a key using WKD
     gpg
@@ -54,7 +59,7 @@ fi
 # first update the main signing keys, then the packager keys
 for domain_match in "$main_key_domain_match" "$packager_domain_match"; do
     while read -ra fpr_email; do
-        if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then
+        if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} && ! "${invalid_fingerprints[*]}" =~ ${fpr_email[0]} ]]; then
             printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
             "${gpg_locate_external[@]}" "${fpr_email[1]}" || let ++error
         else