If you get
llvm-5.0.1.src.tar.xz … FAILED (unknown public key 8F0871F202119294)
gpg --recv-key 8F0871F202119294
and try again. Enter the key ID as appropriate.
Many AUR packages contain lines to enable validating downloaded packages though the use of a PGP key. This establishes a level of trust between the software author and anyone who downloads the software - if you trust the key, and the download validates against the key, then you can trust the download.
Pacman has its own keyring for system packages in the repos. This means pacman will trust Manjaro and Arch packager keys.
Your user starts with an empty keyring. That is, you trust noone’s keys. When you run makepkg you run it as your normal user, so if the PKGBUILD file contains a PGP key validation will fail because you don’t trust the key - you have to import the key into your keyring first.
This is easy. Open a terminal and type:
gpg --recv-key $KEYID
$KEYID is the ID of the key you want to import.
Now when you run
makepkg (directly or via your AUR helper) the downloaded file will be validated and all will be well.
If validation still fails then the file is either invalid or the keyserver cannot locate the key.
With the recent issues with the default keyserver, some keys cannot be found and you may have to try other servers. A few examples are:
To try a different server, you’ll use the
--keyserver flag. Example:
gpg --keyserver pool.sks-keyservers.net --recv-key 8F0871F202119294