On 30-06-2026 22:24, Sean E. Russell wrote:
The archlinux-keyring is only for Package Maintainers. It's a
and

On Mon Jun 29, 2026 at 11:03 AM PDT, Christian Heusel wrote:
the sole purpose of a signature by one the master key holders (and
following that the inclusion of a key in `archlinux-keyring`) is to
enable someone to package for the _official_ Arch Linux repositories
This stands out to me: while AUR helpers (yay, pakku) do end up using a user's
keyring in conjunction with `validpgpkeys`, it sounds as if that's either
unexpected or some unintentional side-effect.


It's not unintended nor unexpected but the way this is designed.


When the pacman project added support for using signed packages the support for pacman and makepkg tools was implemented as two systems with their own keyring .

pacman uses the /etc/pacman.d/gnupg folder , details on https://wiki.archlinux.org/title/Pacman/Package_signing .

Note that archlinux-keyring is NOT a pacman component but was added later by arch devs to solve issues with updating the keys used for signing repo packages .


Makepkg got a separate system that gets keys from the user keyring at $HOME/.gnupg .


Keep in mind that aur helpers don't build things themselves but use makepkg to do the building .


Lone_Wolf


Reply via email to