Hi, This is regarding package verification performed by pacman. Does pacman download the .sig file of a package while installing one? All I could find are the local cached copies of packages only but not their signatures. If thats the case, how does pacman verify the integrity of the downloaded package? It could be that .sig file could have been downloaded into /tmp during installation or to another location that I'm not aware yet. This brings me to my next point. I've manually downloaded just the package file (of some random package) from a mirror and disconnected from the Internet. I used both 'pacman -U <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the installation went just fine. I was expecting Pacman to emit an error stating that signature was missing but nothing happened. Could someone care to explain this. BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf. - Solomon
