On 01/25/2016 04:43 AM, Solomon Lam wrote: > Hi, This is regarding package verification performed by pacman. > > Does pacman download the .sig file of a package while installing one? All I > could find are the local cached copies of packages only but not their > signatures. If thats the case, how does pacman verify the integrity of the > downloaded package? > It could be that .sig file could have been downloaded into /tmp during > installation or to another location that I'm not aware yet. This brings me > to my next point. > > I've manually downloaded just the package file (of some random package) > from a mirror and disconnected from the Internet. I used both 'pacman -U > <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the > installation went just fine. I was expecting Pacman to emit an error > stating that signature was missing but nothing happened. Could someone care > to explain this. > BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf. > > - Solomon > Packages from the Sync database have their signatures (if any) embedded in the db itself. If you really don't trust your own computer, set: LocalFileSigLevel = Required That will make installing AUR packages slightly awkward... Local files default to Optional, Remote files to Required, so if you use `pacman -U http://address.of/package.tar.xz` then it will download the package *and* signature for you, once there is a *.sig pacman will demand it be a valid one. -- Eli Schwartz
