A new RFC (request for comment) has been opened here: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11 Please visit the above link for discussion. Summary: Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array in the trunk directory of SVN. Motivation: The PGP keyserver infrastructure has become increasingly brittle over recent years. This can make helping with updates or rebuilds of packages difficult due to lack of access to the valid signing key. Having the signing key exported along side the PKGBUILD would allow for anybody to import the key into their keyring and verify the source.