Does that only apply to the manjaro repos? If I’m also using other locations such as AUR, does changing the SigLevel cause any potential security issues if that change isn’t reverted?
pacman does not access the AUR, and it cannot, given that the AUR only contains PKGBUILD files, which are build scripts pointing at sources hosted elsewhere. pacman only installs, queries or removes ALPM packages.
That said, the AUR is a third-party repository, and its contents are managed by Arch users, not by Arch, Manjaro, or any of the other Arch-derivative distributions. Therefore, the AUR should always be treated with circumspect.
The SigLevel does not affect AUR. Technically you don’t install packages from AUR, you download a script (a text file) that says how to build the package in your computer. So you don’t actually need signatures, as yourself is the builder (and the package never leaves you computer)
That said, using AUR exposes you to a different kind of threads. For example a malignant AUR maintainer that includes some kind of malware in the building. Not that that happens usually but it’s possible.
I understand (not in depth) the PKGBUILD basics so I check the info as much as I can to see what the scripts plan to do prior to installing.
I was curious due to things like the pamac gui mentioning/allowing the tickbox ‘enable AUR support’ and wasn’t sure if there was any kind of relationship or if it was a total separation.
It is indeed separate. The command-line commands of pamac are also different between installing packages from the repos and building AUR packages. See…