Why can't we do this?
1) Keep hashes of {core,extra,community,multilib}.db in plaintext in
keys.archlinux.org or something
2) while syncing pacman compares the hashes of the downloaded dbs from the
main server ensuring that the packages are not tampered!
--
have a nice day
-jck