Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure. This work has resulted in the
<a href="https://www.archlinux.org/packages/core/any/archlinux-keyring/">archlinux-keyring package</a>
which contains all the data you need to authenticate packages as
made by official Arch packagers (developers and trusted users).
Having pacman verify packages is now as easy as doing:
The archlinux-keyring package contains five master keys that are used to
authenticate official Arch packagers, so you do not need to know who
joins or leave the team: you just have to verify those five master keys
once and for all. This last command will prompt you to do so; please do
this cautiously by checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.