On 29/06/2026 16:25, Sean E. Russell wrote:
Hi,
Hello,
I maintain a handfull of packages in AUR -- most of which I'm also the upstream
author of -- and with all the recent hubub have been thinking about improving
the trustability of those packages. I hadn't before really looked into signing
since that seems mostly the domain of the core repositories and specifically
signed _built_ packages (ignoring `-bin` packages in AUR for the moment).

It occurs to me that my signature is going to have the most value to diligent
checkers if it's signed by one of the trusted keys in `archlinux-keyring`, which
of course leads me to wonder: is there a documented process for non-core
contributors to get their keys signed? Arch Linux key signing parties, or
something?

The archlinux-keyring is only for Package Maintainers. It's a requirement for packages for core, extra and multilib. At the moment there's no official way that the AUR contributors would would be included in the keyring and no long terms plans either for that. There are a few AUR contributors which already sign and publish their packages in third party repos with signatures included - check the wiki.

Cheers,

--
Leonidas Spyropoulos
Developer & DevOps
PGP: 59E43E106B247368
     244740D17C7FD0EC

Attachment: OpenPGP_0x244740D17C7FD0EC.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to