Hi, I maintain the AUR package for wget2 [0] (which has `validgpgkeys()` populated) and have recently been contacted by a user that has trouble with GPG signature verification when building the package in a Docker container (using aurutils apparently). Their first suggestion was for me to drop the validpgpkeys section to make it easier for them to build the package. This is not something I'm willing to implement as that means downgrading security for other users of the package. makepkg provides an escape hatch for users who don't care about signature verification via the `--skippgpcheck` flag. Their second suggestion was for me to add the GPG public keys directly to AUR package. My first thought was that this is also not a good idea, but I'm not sure I can come up with convincing arguments. My reason against it is, that the PGP key allows for a user of my PKGBUILD to verify that I only include sources which have been signed by the maintainer of the software. As packager, I can control the source and hashes for a package, so if I want to use a malicious source, I can just update the hash to match, but I can't easily change the upstream signing key. However, if the users relies on the key included with the package, then I could use my own malicious key, so the user should compare the key with upstream sources anyway. On the other hand retrieving keys from the keyservers can be a crapshoot. I certainly have been bitten by that brittle infrastructure in the past, and having a copy of the key can alleviate that. That seems also the reason, why Arch proper has started including copies of GPG keys with their packages (see for example glibc [1]). This has been codified in RFC0011 [2] and is managed via the `export-pkgbuild-keys` script included in devtools. There doesn't seem to be any discussion of downsides of this approach in the RFC and accompanying Merge Request. Users, who wish to make sure that the used GPG keys are the ones published by upstream can always ignore the included key files and grab the keys directly from the keyservers. Do you think including GPG keys with AUR packages to make it easier for some users is a good idea? Or should they just use `--skippgpcheck`? Are there any glaring issues I'm missing here? Do you know of AUR packages that include the GPG keys for source verification similar to what Arch packages do? [0]: https://aur.archlinux.org/packages/wget2 [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/glibc/-/tree/2.39-... [2]: https://rfc.archlinux.page/0011-store-source-signing-keys/ Cheers, Wilhelm.