AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.

- Please report bugs related to Arch Linux official packages here:
- Please report bugs for [community] packages here:
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:

FS#66125 - Recognize signed commits and show signature information in AUR web interface

Attached to Project: AUR web interface
Opened by Anderson Medeiros Gomes (amg1127) - Sunday, 05 April 2020, 08:54 GMT
Task Type Feature Request
Category Backend
Status Unconfirmed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 2
Private No


Provided that I trust Arch Linux developers and Trusted Users, I am confident that package files retrieved and installed by Pacman are trusted because package signatures are verified automatically using a keyring located in /etc/pacman.d/gnupg folder and populated by "archlinux-keyring" package. On the other side, packages retrieved from AUR are user-submitted content and, therefore, I should manually check them against malicious code every time I am willing to install or upgrade packages from there in my system.

Because verifying PKGBUILD files manually is a time-consuming operation, I would like to have the possibility of trusting AUR packages selectively by trusting maintainers' GPG keys in my build environment. I am planning to do the following steps:
* Have a dedicated local user, a GPG keyring and a keypair to locally sign packages built by "makepkg".
* Import trusted AUR package maintainer keys to that keyring and sign them locally.
* Manually check signatures of AUR repositories being downloaded (cloned) by running "git verify-commit" or "git log --show-signature".
* Enable automatic signature checks of AUR repositories being updated (pulled) by setting "gpg.minTrustLevel=fully" and "merge.verifySignatures=true" in repository configs (git config --local).

I believe that AUR's underlying Git infrastructure already accepts signed commits from package maintainers. So, I am writing to propose the following features:
* AUR web interface should recognize packages published via signed Git commits and show signature information in information pages, such as key fingerprint and issuer's name.
* AUR submission guidelines should suggest publishers to sign their commits before pushing changes.
* AUR wiki page should provide instructions on how to verify Git signatures after downloading (cloning) a package.
This task depends upon