All package files are currently signed by individual package maintainers. Automating the signing of package files implies, that an automated, central build system provides a secure way of delegating the signing operation to the Signstar system. Signing the package files is considered a high impact action, because signing these artifacts happens on a high cadence and all Arch Linux users rely on signature verification of package files by default already.

To allow for this target to be met, an automated build system (e.g. buildbtw) must provide secure means of authenticating against the Signstar host. Each host in such a central system should guard its SSH key used for connecting to the Signstar host using the host’s integrated or discrete TPM 2.0.

Once signing of package files is automated and works reliably, the per package maintainer OpenPGP certificates in archlinux-keyring should be decommissioned by revoking the third-party signatures issued by the distribution-specific trust anchors.