Support GnuPG public keys as an alternative to checksums
Signed packages provide more security than checksums, e.g. in the case
of corrupt mirrors or download sites.
The private key is only owned by the devs or release managers. All users can use the well known public key to verify their downloads. As an additional feature, the key can be fetched from keyservers, so corrupt/revoked keys will throw an error.
e.g. in the case of nginx:
Fetch B0F4253373F8F6F510D42178520A9993A1C052F8 in the APKBUILD and fetch the *.asc together with the tarball/signed git tag.
(from redmine: issue id 9016, created on 2018-06-16)