On Mon, 25 Jan 2016 15:13:24 +0530 Solomon Lam <phrackmod@xxxxxxxxx> wrote: > Hi, This is regarding package verification performed by pacman. > > Does pacman download the .sig file of a package while installing one? All I > could find are the local cached copies of packages only but not their > signatures. If thats the case, how does pacman verify the integrity of the > downloaded package? > It could be that .sig file could have been downloaded into /tmp during > installation or to another location that I'm not aware yet. This brings me > to my next point. > > I've manually downloaded just the package file (of some random package) > from a mirror and disconnected from the Internet. I used both 'pacman -U > <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the > installation went just fine. I was expecting Pacman to emit an error > stating that signature was missing but nothing happened. Could someone care > to explain this. > BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf. > > - Solomon Signatures are kept in the databases.
