Arch Linux

Provided that I trust Arch Linux developers and Trusted Users, I am confident that package files retrieved and installed by Pacman are trusted because package signatures are verified automatically using a keyring located in /etc/pacman.d/gnupg folder and populated by "archlinux-keyring" package. On the other side, packages retrieved from AUR are user-submitted content and, therefore, I should manually check them against malicious code every time I am willing to install or upgrade packages from there in my system.

Because verifying PKGBUILD files manually is a time-consuming operation, I would like to have the possibility of trusting AUR packages selectively by trusting maintainers' GPG keys in my build environment. I am planning to do the following steps:
* Have a dedicated local user, a GPG keyring and a keypair to locally sign packages built by "makepkg".
* Import trusted AUR package maintainer keys to that keyring and sign them locally.
* Manually check signatures of AUR repositories being downloaded (cloned) by running "git verify-commit" or "git log --show-signature".
* Enable automatic signature checks of AUR repositories being updated (pulled) by setting "gpg.minTrustLevel=fully" and "merge.verifySignatures=true" in repository configs (git config --local).

I believe that AUR's underlying Git infrastructure already accepts signed commits from package maintainers. So, I am writing to propose the following features:
* AUR web interface should recognize packages published via signed Git commits and show signature information in information pages, such as key fingerprint and issuer's name.
* AUR submission guidelines should suggest publishers to sign their commits before pushing changes.
* AUR wiki page should provide instructions on how to verify Git signatures after downloading (cloning) a package.