On 11/26/2016 01:01 AM, Florian Bruhin wrote:
* Upstream does not provide any GPG signature of the tarballs nor commit signature. I've chosen to provide a detached GPG signature of the downloaded tarball with my GPG key. For me, its better to have this link-ability between the package maintainer and the downloaded tarball than nothing at all.
Not sure if that makes much sense, and FWIW I've had some issues with people not being able to install AUR packages with PGP keys. I don't recall exactly what the problem was though...
This. GPG signatures are meant to prove that upstream really released it, but if all you know is that the AUR maintainer *thinks* this is the upstream release, you might as well just stick with checksums, which will serve just as well to prove the source code is the same source code the AUR maintainer used. Anyone who can defeat the checksum (by modifying your PKGBUILD) can also defeat your own GPG key. -- Eli Schwartz