Apologies for not knowing this, which should be pretty simple...

From time to time if I need to get a package that is not available in the regular repos, but is only available from someone's community repository on the build service. I have from time to time either added their repo or just downloaded the package I was looking for.

But one thing consistently eludes me - where do I find the gpg signing key so that I can import it? I feel like I compromise my system if I just ignore the signing key and install it regardless.

All the instructions I have found seem to be only about how to set up the proper signing key if you are a builder of packages, not if you are a regular user like me that just wants to download someone else's package.