SSH commit signatures on AUR

Kevin Morris kevr at
Sat Apr 2 01:36:55 UTC 2022

This brings up a question, though:

How do we treat verified commits? Do we check these at all from a server,
standpoint, or is it purely for consumers?

I already sign my AUR commits, and I can verify them:

(venv) { kevr sprunge } > git verify-commit 8d5259274278ac103c45622ed91b5ee83673db2
gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST
gpg:                using RSA key 0F985B6F99B6686854C44EC3F7E46DED420788F3
gpg: Good signature from "Kevin Morris (kevr) <kevr at>" [ultimate]

So this seems to already be possible. Are we looking for some kind of
AUR package webview visible Verified tag that shows when HEAD is

Kevin Morris
Software & Linux Enthusiast
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the aur-dev mailing list