16 Sep
2012
16 Sep
'12
11:51 p.m.
Xyne wrote:
If they are kept in the database then signing the database file itself may be unnecessary. Pacman could verify the integrity of the metadata for each package when it downloads the database.
Adding to that idea, pacman currently verifies database signatures each time it is run. If the metadata sigs were included in the database then pacman could do the following: 1) check for matching valid sig for each database 2) if no valid sig, check metadata sigs in db 3) if all metadata sigs are valid, sign database with local key, else die