Hello, This thread continues to go on despite there being official ruling on it. [1]
So, I guess, not including PGP key directly alongside PKGBUILD file is somehow more cautious. Right?
PKGBUILDs are always subject to malicious behaviour, however you are speaking as if gpg is a symmetric by default (it can do symmetric encryption), when its not. The public key is used to verify a digital signature, it can not sign sources, its purpose isn't to ensure a PKGBUILD is not malicious, it is to ensure the sources pulled from upstream are signed by the expected developer, if not, the source is potential vulnerable to tampering. You should always check the source array anyways, because anyone can stick a fork of the software with malicious intent. Doesn't matter if you pull it from a repo, some random http endpoint, or a keyserver, the public key can be freely shared anywhere you like without any security issues, so including it alongside the PKGBUILD is not any less insecure, in fact, it is more reliable as keyservers are a pain to deal with. However this is all listed within the RFC. At the end of the day its your package, but like I said in my previous email, its best to stick to the official packaging standards, also makes it easy for package maintainers to pull AUR packages into [extra] if they are already at the required standard. I am clueless of the issues trying to be presented here, sha256sum and gpg signatures are not designed to prevent a packager giving you a malicious PKGBUILD, the packager doesn't need to include the signatures, or checksum they are optional after all (as in makepkg will build with 'SKIP', they SHOULD always be used). Checksums are used to verify the integrity of the download, and ensure you downloaded what was expected, gpg signing ensures the sources were released by the expected developer, and not some third party. But this doesn't ensure the PKGBUILD isn't malicious, you got to read the PKGBUILD yourself and verify the following: - No malicious bash commands - Source comes from upstream, not some random fork or dropbox link for example. - PGP provided is the correct key of the upstream maintainer. I think I repeated the same point over and over again, not too sure but there you go. TL;DR follow official RFCs, they are approved by the staff team for a reason. Take care, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@icebound.dev [1] https://rfc.archlinux.page/0011-store-source-signing-keys/