SSH commit signatures on AUR

PedanticDM pedanticdm at
Sat Mar 5 05:20:29 UTC 2022

On 3/2/22 11:38 AM, Sebastian Wiesner via aur-dev wrote:

> For this to work AUR would need to publicly expose SSH keys in user
> profile packages, which definitely requires some care wrt to privacy.

Github (and Gitlab) both expose users' public ssh and pgp keys to the 
web. Take me for example, though you could search&replace with any valid 


(I'm most familiar with Github, hence this and a future example).

Waxing pedantic, I'm not sure how many "privacy" concerns exist in this 
space since we're dealing in public keys (it's in the name). Trust and 
integrity (cough SKS keyservers cough) are the prominent concerns in my 

> But if there's interest in the feature, I'd be happy to start working
> on a patch to aurweb to contribute this feature.

I see some value in it. Nothing fancy would be required. Github, for 
instance, presents a "verified" tag alongside every commit signed by 
UserA with the public key UserA uploaded to their account, plus a commit 
Author field with correct data. And, in Vigilant Mode, you get scary 
"unverified" and discomforting "partially verified" tags as well. ^_^

Have a good weekend, everyone! Cheers!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the aur-dev mailing list