GScrot repository is not signed with a PGP key. If it is, there is no information about it at:
The download page should mention which key is used to sign the packages and how to add them to the system.
Every time there is an upgrade to GScrot, the package managers warns the user that GScrot is an unsigned and therefore potentially dangerous package. It is true, someone may hack into your repository and replace the packages with his own. If you want to ensure people's trust, you have to sign your package. It is absolutely necessary for large-spread packages like GScrot.
Please sign your repository and give us information about that on the download page. Thank you.