Hello, AUR uses SSH keys for authentication, and since a few months Git can sign commits with SSH keys. Would there be interest in combining this to somehow mark packages as verified if HEAD has a valid signature from an SSH key registered in the profile of any maintainer of that package? I don't think it'd add much in terms of security per se, but I think it'd help to encourage and spread commit signing on the AUR. That's a good thing per se, imho, but I think it'd also simplify trust management a lot, especially when automatically building many AUR packages. Currently you always need an extra RPC call to the AUR to obtain reliable maintainer information for every package, because the git clone itself doesn't carry any trust information at all. With signing however you could just scrape SSH keys from maintainers you trust every once in a while, and assemble those into an ALLOWED_SIGNERS files for "git verify-commit". Asserting that a package HEAD is trusted would then come down to a simple "git verify- commit". For this to work AUR would need to publicly expose SSH keys in user profile packages, which definitely requires some care wrt to privacy. Another challenge would be to make a UI which clearly indicates that "verified" only means the HEAD was signed by a maintainer, not that the Arch team or a TU has actually verified the PKGBUILD, let alone the package contents. But if there's interest in the feature, I'd be happy to start working on a patch to aurweb to contribute this feature. Kind regards, Basti