ERROR: One or more PGP signatures could not be verified, arch linux

Once you have local gpg key pair, you can import the unknown key to your local users set of keys. In my case, the key 5CC908FDB71E12C2 needs to be imported as follows.

$ gpg --recv-keys 5CC908FDB71E12C2
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: key 5CC908FDB71E12C2: 8 signatures not checked due to missing keys
gpg: /home/aaron/.gnupg/trustdb.gpg: trustdb created
gpg: key 5CC908FDB71E12C2: public key "Daniel Stenberg <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

--recv-keys key IDs: Import the keys with the given key IDs from a keyserver.

If the above fails you might need to generate a local gpg keystore/database.

This below steps may no longer be necessary as the above step now creates a local key database for you. This depends on your distro and gpg version and config.

If you do not already have a gpg key database for your local user.

gpg --generate-key 

or

gpg --full-gen-key 

What the docs say.

   --generate-key
   --gen-key
          Generate  a  new key pair using the current default parameters.  This is the standard command to create a new key.  In addition to the key a revocation certificate is created and stored in the
          ‘openpgp-revocs.d’ directory below the GnuPG home directory.

   --full-generate-key
   --full-gen-key
          Generate a new key pair with dialogs for all options.  This is an extended version of --generate-key.

          There is also a feature which allows you to create keys in batch mode. See the manual section ``Unattended key generation'' on how to use this.