Currently, pacman-key has the following in verify_sig():

if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
ret=1
fi

This check can be very easily spoofed, since it doesn't make sure that TRUST_FULLY is the field name, and not the value. Meaning, there are at least two ways to get any string in gpg's output:

a) create a key and enter "TRUST_FULLY" when prompted for the full name;

b) attach a notation (gpg --set-notation TRUST_FULLY@example.com=ponies --sign); gpg prints the value hex-encoded, but the name in plain.

Instead, pacman-key should check for /^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$/; that is:

1) only accept --status-fd output ("[GNUPG:]" prefix) and not the human-readable output,
2) require "TRUST_*" to be the 2nd word in the line, immediately after "[GNUPG:]"