Safety of using auto-key-retrieve with GPG

The package build process itself is safe, even with automatic key retrieval: since validpgpkeys must list full fingerprints, the key that’s automatically retrieved is sure to be the correct one. The main use-case that’s affected by automatic key retrieval is detecting unwanted changes to the validpgpkeys declaration (but such changes should be manually verified anyway, not just when gpg complains that it doesn’t have the necessary key in its keyring).

The auto-key-retrieve option is indeed global, so enabling it means that any interaction with gpg involving a key that isn’t in your keyring will download that key from your default keyserver. The practical difference this makes depends on two factors: the verifications you make when downloading a key manually, and whether or not your key and the key you’re downloading are connected. Obviously, if you always verify keys out of band before adding them to your keyring, you don’t want to enable automatic key retrieval. If the keys you use are connected, and you use the trust information, that’s valid regardless of where the key comes from, so automatic key retrieval is safe then. In between those two extremes, it seems to me that if you use full fingerprints, automatic key retrieval is safe too; and if you don’t, the risks associated with keys are the same regardless of their origin (e.g. accepting something signed by an evil key as signed by the real key owner, or worse, encrypting something to an evil key thinking that you’re sending it to someone else).

Really the main caveat with auto-key-retrieve is that highlighted in the manual:

Note that this option makes a “web bug” like behavior possible. Keyserver or Web Key Directory operators can see which keys you request, so by sending you a message signed by a brand new key (which you naturally will not have on your local keyring), the operator can tell both your IP address and the time when you verified the signature.