On 01/25/2016 01:35 PM, Solomon Lam wrote: > Thanks for the reply. I think I got my answer. > > I noticed that the 'desc' file of a package(inside the db) contains 'md5' > and 'sha256' checksums as well. So, does pacman perform pgp verification or > checksum verification during installation? It just uses the best verification available. Test it by running `pacman -Sw --debug somepackage` Any package in the main repos will have a signature -- it will only verify that. A custom repo for AUR packages (I keep one) will likely not be signed, and if not will be verified with sha256sum. md5sum is only there for old times' sake I think. I guess if you have a repo generated by really old versions of repo-add, it will only have an md5sum and verify that. -- Eli Schwartz
