Responding to Christian's email, but I'll collate messages so as to not pollute the list too much.
TLDR, it's clear that I'm trying to use `PKGBUILD` source signing in a way that it was not intended for. On Mon Jun 29, 2026 at 11:10 AM PDT, Leonidas Spyropoulos wrote: > The archlinux-keyring is only for Package Maintainers. It's a and On Mon Jun 29, 2026 at 11:03 AM PDT, Christian Heusel wrote: > the sole purpose of a signature by one the master key holders (and > following that the inclusion of a key in `archlinux-keyring`) is to > enable someone to package for the _official_ Arch Linux repositories This stands out to me: while AUR helpers (yay, pakku) do end up using a user's keyring in conjunction with `validpgpkeys`, it sounds as if that's either unexpected or some unintentional side-effect. While I disagree about the the assertion that it does not increast trustworthiness to sign an upstream source with a key which is signed by a key already in the users' webs of trust (namely, `archlinux-keyring`), it's obvious that not only is this a sort of hacky solution, but that it's being generally frowned upon -- seeing as there's not been a single encouraging response from anyone in the core team. Yeah, it's only been a day, but still... it was a long shot anyway idea, and I'm not really energized to pursue it. It's a challenging situation for FOSS software developers: we already invest time and money to develop software to give away gratis; the Bazaar is being poisoned by these supply-chain attacks, in AUR but also Go and npm. I still hope to find a reputation-based solution; right now, Arch's implicit trust model is locked to core Arch maintainers and it doesn't scale to (e.g.) AUR contributors. I'm not implying that it _should_, just that I don't see a way to offer more trust to users. I also don't want AUR to get harder to contribute to; I also manage packages in Alpine, and it's significantly slower and harder to release versions, and with more burden on Alpine maintainers. Anyway, thanks to everyone who responded. --- SER Sean E. Russell (https://ser1.net) OpMsg: https://ser1.net/.well-known/opmsg.txt GPG key: https://ser1.net/.well-known/pgp.asc Minisign: https://ser1.net/.well-known/minisign.pub Age: age195vpft7nzsy83medxagqqsge0lrcuf9txe3z2znlu2wsk69cdu4sx8nfvp
