For clarity, On 05/11, Marc Lehmann via arch-general wrote:
He replied that the arch build system automatically treats all .sig files as gpg signatures, and that this can't be switched off; that the signature for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and claimed this affects all of the file signatures.
This is indeed the case, see [0].
I in turn replied that I consider this a candidate for a bug report against the arch build system, as it shouldn't enforce treatment of random .sig file as gpg signature. I also pointed out that it is a security bug if arch linux treats .sig files without a hardcoded or otherwise authenticated gpg key id, and shouldn't rely on a random openpgp signature, even if that signature verifies. I did mention that I can hardly imagine that the arch build system would be that broken however.
But this part is not, i.e. makepkg will only accept signatures from key(s) whose fingerprint are specified in validpgpkeys, and will not accept other random signatures. So there is no security issue here. I hope that was helpful. Regards, Tharre [0] https://wiki.archlinux.org/index.php/PKGBUILD#Sources -- PGP fingerprint: 42CE 7698 D6A0 6129 AA16 EF5C 5431 BDE2 C8F0 B2F4