New comment by eli-schwartz on void-packages repository

https://github.com/void-linux/void-packages/pull/28400#issuecomment-771336697

Comment:
> The idea was flown around on IRC and it tickled me. It's probably of very limited utility, but who knows, maybe the recent PGP crisis drive people towards signify :P

Disclaimer: "the idea" was my suggestion that PGP verification of the large body of software out there that *is* signed today with PGP signatures would be a good idea. :D

Since .sig is a valid and common PGP signature extension, heuristically detecting which flavor it is might be necessary in the event someone implements the, uh, more common variety in xbps-src.

...

Again, as mentioned in IRC, implementing PGP verification support need not force every user to install GnuPG. pacman/makepkg has an option to disable checking PGP (on by default), xbps-src can have an option to enable it (off by default). As long as it is there and can be validated, people can double-check that the known distfile with the known checksum does validate using PGP. (I would advise official builders to enable such checks, if off by default.)