[arch-dev-public] RFC Final Comment Period: Store PGP keys for source file signatures alongside PKGBUILDs

Allan McRae allan at archlinux.org
Thu Mar 10 23:12:56 UTC 2022

An RFC has now entered Final Comment Period. In 14 days, discussion will 
end and the proposal will either be accepted, rejected or withdrawn:


Please visit the above link for discussion.

Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array 
alongside the PKGBUILD in our VCS.

The PGP keyserver infrastructure has become increasingly brittle over 
recent years. This can make helping with updates or rebuilds of packages 
difficult due to lack of access to the valid signing key. Having the 
signing key exported alongside the PKGBUILD would allow for anybody to 
import the key into their keyring and verify the source.

More information about the arch-dev-public mailing list