Hello,

Are the packages from the repos (core, main, apps, build, kde-next) not signed and verified by pacman during install?

I'm a little concerned about possibility of malicious packages getting in, especially via mirrors.

Cheers!

Correct, signing has not been done so far.

Databases are however not created created remotely, so any would be hacker trying to change a package on a mirror won't be able to get the correct hash on them, thus the install would fail.