Standards for recieving GPG public key?
I'm trying to make a package(suricata) locally on my machine, and when making the package, the system verifies the source file signatures with gpg and I recieve "FAILED (unknown public key X) (from an AUR package).
From my understanding, the provider of the package would want to share their public key in another way or on another platform, such that users can validate that their public key indeed belongs to the developer.
Is there any reason for a publisher to not share their public key? Is there a standard for developers in sharing their public key?
Just importing the key from a keyserver does not provide any significance in that the key in fact belongs to the alleged owner.
Furthermore, what is the point with services that provide a file and their respective .sig file from the same server. If the server is breached an attacker could tamper both files so that downloading both files from that server wouldn't be very much more secure...? This solution seems to just be a false sense of security.
