Forgive me if I'm mistaken, but I think the linked RFC applies to the official Arch Linux repositories, not to the AUR. The official repositories, unlike the AUR, are curated by trusted package maintainers who would presumably vet any PGP keys before importing them into VCS. If you trust the official package maintainers, you can by extension trust the PGP keys they pull into VCS.

By contrast, AUR packages are explicitly unsupported and left to the user to review before building and installing. The mere presence of a PGP key alongside the PKGBUILD does not necessarily mean you should trust that PGP key to sign the sources - as others have pointed out, you should always check upstream for which key(s) is supposed to be signing the sources. If upstream doesn't state anywhere what keys are used, then it doesn't help if keys are shipped with the PKGBUILD, because there's no way to know if it's the right ones.

However I do agree that shipping keys alongside the PKGBUILD can make it easier to import the key once you know which key you need. All you really need from upstream is the expected key fingerprint; once you have that you can import the key from anywhere as long as you verify that the key has the expected fingerprint. Similarly, you could choose to simply review the downloaded sources and, once you're confident that they're not malicious, accept the key as trusted for future package updates. For example, yay [1] makes it easy to review only the diff of new PKGBUILD versions, so as long as the validpgpkeys and signature sources don't change you can be confident that the sources are still from the same developer that you chose to trust.

[1]: https://aur.archlinux.org/packages/yay

/Emil


On 2/13/24 03:57, Abraham S.A.H. wrote:

      
However this is all listed within the RFC. 
Thanks @Polarian. That RFC didn't occur to me.

--
Best Regards,
Abraham
Sent with Tutanota; https://tuta.com