On 2/10/24 14:10, Abraham S.A.H. wrote:
Sign it with your own malicious key and upload your public key to keyservers.
This is kind of the whole breakdown in gpg signing. In 2018, the keyservers were hit with a type of malware that effectively served as global DDOS on the keyservers (many of which were unmaintained and had simply been running for years unattended). After the attack much of the keyserver system was simply never restarted leading to difficulties in getting public keys to verify signatures. They are hit-of-miss at best now.
As long as the AUR package makes the needed public keys available, then all is fine, but if users are left to "get the key from a keyserver" - the specific keyserver holding the key needs to be identified, as there is little or no sync of keys anymore.
(this is just a side note for the general discussion) The Arch keyring takes key of providing keys for Arch, but I'm unsure how AUR does this)
-- David C. Rankin, J.D.,P.E.
