Pacman (and Arch in general) did'nt have package signing - sniff around (dont ask
, you'll just stir things up for the worse, believe me, just do a search for IgnorantGuru on the Arch forum...) the forum for the discussions.
Every developer has his/her key now. It may well be a good idea to check out Alan's blog
Before signing, it was a risky bizz to do an update. There were packages, but...were they legit? What if the server was hacked? One tool was (and is) paccheck
, you run it before updating to see if any of the tested servers was compromised or not. If it was safe, an update could be "attempted"...with signing, one more level of security is around.
Why the current (PGP I think) method was chosen and not MD5...may be a question for the developers...but be warned, they can be a grumpy lot