Apparently there is some confusion in this discussion, regarding what
must be passed over trusted channels (not pointing at any particular
person). So, to clarify.
For the purpose of signature verification, public key material is not
required to be taken from a trusted source. The thing to be verified
through a trusted route is the fingerprint.
Yes, from purely cryptographic PoV this is imperfect: the fingerprint
is SHA-1, which no longer provides neccessary security guarantees. A
malicious agent may theoretically provide a forged key with a matching
fingerprint. But “I believe this website” isn’t a valid cryptographic
construct either; instead obtaining signatures is required. So the
argument is mostly moot.
When talking about obtaining keys based on evaluating trust in
non-cryptographic manner, there is little difference in getting a
complete key from places you trust, compared to getting a key off
anywhere and getting a fingerprint/keyID from the places you trust. Key
owners publishing their keys on their/project website is the best way,
but — in its absence — just verify the fingerprint.
In particular keyservers are not more trusted than AUR. Quite
opposite. With keyservers, to you the key uploader is anonymous. On AUR
the uploader is pseudonymous or a traceable person.
