[snazz]

I don’t think the AUR has a concept of package signing—a PKGBULD will often download a tarball from somewhere and any signing is ad-hoc. The official repositories use their own key ring (which is distributed without a key server).

[majewsky]

Correct. The only time when this would concern you is when you add a third-party repository, e.g. one of [1]. This usually involves a manual TOFU step where you do the equivalent of `gpg --recv-keys $ID` on the pacman keyring.

[1] https://wiki.archlinux.org/index.php/Unofficial_user_reposit...

[jwilk]

Beware that "gpg --recv-keys <keyid>" (or even "gpg --recv-keys <fingerprint>"!) can be tricked into inserting malicious keys into the keyring:

https://dev.gnupg.org/T3398