As explained by Allan Mcrae here, when installing AUR packages which come with a GPG signature, if the user is to avoid importing and locally signing all the relevant GPG keys (from the package developers), then something like validpgpkeys=('F37CDAB708E65EA183FD1AF625EF0A436C2A4AFF') has to be added to the PKGBUILD.
Currently, if a package as a GPG sig (e.g. tor-browser-en), makepkg will fail to verify the signature, and thus pkgbuilder will fail to build the package. Could it be possible (and what level of effort would be required) to add a prompt, that allows the user to confirm if a GPG key with the fingerprint in the PKGBUILD is to be regarded as trusted? (And if the answer is 'yes', to add the validpgpkeys=... line to the PKGBUILD on the fly).
As explained by Allan Mcrae here, when installing AUR packages which come with a GPG signature, if the user is to avoid importing and locally signing all the relevant GPG keys (from the package developers), then something like
validpgpkeys=('F37CDAB708E65EA183FD1AF625EF0A436C2A4AFF')
has to be added to the PKGBUILD.Currently, if a package as a GPG sig (e.g. tor-browser-en), makepkg will fail to verify the signature, and thus pkgbuilder will fail to build the package. Could it be possible (and what level of effort would be required) to add a prompt, that allows the user to confirm if a GPG key with the fingerprint in the PKGBUILD is to be regarded as trusted? (And if the answer is 'yes', to add the
validpgpkeys=...
line to the PKGBUILD on the fly).