Re: Clarification on pacman signature verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 25 Jan 2016 15:13:24 +0530
Solomon Lam <phrackmod@xxxxxxxxx> wrote:

> Hi, This is regarding package verification performed by pacman.
> 
> Does pacman download the .sig file of a package while installing one? All I
> could find are the local cached copies of packages only but not their
> signatures. If thats the case, how does pacman verify the integrity of the
> downloaded package?
> It could be that .sig file could have been downloaded into /tmp during
> installation or to another location that I'm not aware yet. This brings me
> to my next point.
> 
> I've manually downloaded just the package file (of some random package)
> from a mirror and disconnected from the Internet. I used both 'pacman -U
> <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the
> installation went just fine. I was expecting Pacman to emit an error
> stating that signature was missing but nothing happened. Could someone care
> to explain this.
> BTW, I have SigLevel = Required DatabaseOptional  in my pacman.conf.
> 
> - Solomon

Signatures are kept in the databases.



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux