Thanks for the reply. I think I got my answer. I noticed that the 'desc' file of a package(inside the db) contains 'md5' and 'sha256' checksums as well. So, does pacman perform pgp verification or checksum verification during installation? On Mon, Jan 25, 2016 at 8:08 PM, Eli Schwartz <eschwartz93@xxxxxxxxx> wrote: > On 01/25/2016 04:43 AM, Solomon Lam wrote: > > Hi, This is regarding package verification performed by pacman. > > > > Does pacman download the .sig file of a package while installing one? > All I > > could find are the local cached copies of packages only but not their > > signatures. If thats the case, how does pacman verify the integrity of > the > > downloaded package? > > It could be that .sig file could have been downloaded into /tmp during > > installation or to another location that I'm not aware yet. This brings > me > > to my next point. > > > > I've manually downloaded just the package file (of some random package) > > from a mirror and disconnected from the Internet. I used both 'pacman -U > > <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the > > installation went just fine. I was expecting Pacman to emit an error > > stating that signature was missing but nothing happened. Could someone > care > > to explain this. > > BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf. > > > > - Solomon > > > > Packages from the Sync database have their signatures (if any) embedded > in the db itself. > > If you really don't trust your own computer, set: > LocalFileSigLevel = Required > > That will make installing AUR packages slightly awkward... > > > Local files default to Optional, Remote files to Required, so if you use > `pacman -U http://address.of/package.tar.xz` then it will download the > package *and* signature for you, once there is a *.sig pacman will > demand it be a valid one. > > -- > Eli Schwartz >
