Arch linux adding PGP verification some years ago was a really good thing after realizing that perhaps, just downloading from any repository without any kind of verification was a bad idea.
The process for signing and managing keys for the official repos is pretty straightforward and automated, however, with AUR, this is quite different.
Sometimes, you can run into signature errors such as the following:
==> Validating source files with md5sums…
cower-16.tar.gz … Passed
cower-16.tar.gz.sig … Skipped
==> Verifying source file signatures with gpg…
cower-16.tar.gz … FAILED (error during signature verification)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Makepkg was unable to build cower.
==> Restart building cower ? [y/N]
This happens because your keys repository is lacking a certain key needed to authenticate a package authenticity.
If you edit the PKGBUILD, you might see (if the author followed the convetions) the needed key and the owner of such key.
For this example package (cower), the PKGBUILD had a line telling us the needed key corresponded to a maintainer called “Dave Reisner”.
After googling a bit, you can find a reference to this person’s pgp key here
In this page you can find the public key ID, which is “F56C0C53”
All you have to do is add this public key to your keys repository, and you’ll be good to go. No more PGP errors for packages maintained by this particular maintainer:
gpg –recv-keys F56C0C53
you can learn more about package signing on Arch’s magnificent wiki