As both the packager and upstream author I'd like to encourage all users to activate "git source verification" if not already done. Please see comment in the PKGBUILD file. The recent supply chain issues highlight the importance of validating source code.
All git tags are signed and going forward, every commit will also be signed.
The public signing key is available in a few places, but I recommend getting it either via WKD or directly from the website of the key's email domain. These are sound ways to do this. For additional information please see:
https://sapience.com/tech/blog/git-keys
To get the key via WKD:
gpg --auto-key-locate nodefault,wkd --locate-external-keys arch@sapience.com
Pinned Comments
GeneArch commented on 2026-06-14 20:58 (UTC)
As both the packager and upstream author I'd like to encourage all users to activate "git source verification" if not already done. Please see comment in the PKGBUILD file. The recent supply chain issues highlight the importance of validating source code.
All git tags are signed and going forward, every commit will also be signed.
The public signing key is available in a few places, but I recommend getting it either via WKD or directly from the website of the key's email domain. These are sound ways to do this. For additional information please see:
https://sapience.com/tech/blog/git-keys
To get the key via WKD:
gpg --auto-key-locate nodefault,wkd --locate-external-keys arch@sapience.com