This has probably been discussed already, but somehow I can't find a link, so...
Is it possible in pacman to save package signatures alongside *.pkg.tar.xz files in cache? I think it woukd be a useful security addition. For instance, recently I had to perform full system integrity check (similar to the time when kernel.org was compromised) and not being able to verify packages in cache really complicated things, as I had to first update and then download each package, verify, unpack and generate sha1sums for files (all on a clean server of course).
Arch Linux is more than just GNU/Linux -- it's an adventure
You have sigs & sums from the rolling install (not the history) per repo in /var/cache/pkgtools/lists/
For such cases, would those not be enough (maybe install pacman fresh from a chroot first)?