Thanks for the reply. I think I got my answer. I noticed that the 'desc' file of a package(inside the db) contains 'md5' and 'sha256' checksums as well. So, does pacman perform pgp verification or checksum verification during installation? On Mon, Jan 25, 2016 at 8:08 PM, Eli Schwartz <eschwartz93@gmail.com> wrote:
Hi, This is regarding package verification performed by pacman.
Does pacman download the .sig file of a package while installing one? All I could find are the local cached copies of packages only but not their signatures. If thats the case, how does pacman verify the integrity of
On 01/25/2016 04:43 AM, Solomon Lam wrote: the
downloaded package? It could be that .sig file could have been downloaded into /tmp during installation or to another location that I'm not aware yet. This brings me to my next point.
I've manually downloaded just the package file (of some random package) from a mirror and disconnected from the Internet. I used both 'pacman -U <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the installation went just fine. I was expecting Pacman to emit an error stating that signature was missing but nothing happened. Could someone care to explain this. BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf.
- Solomon
Packages from the Sync database have their signatures (if any) embedded in the db itself.
If you really don't trust your own computer, set: LocalFileSigLevel = Required
That will make installing AUR packages slightly awkward...
Local files default to Optional, Remote files to Required, so if you use `pacman -U http://address.of/package.tar.xz` then it will download the package *and* signature for you, once there is a *.sig pacman will demand it be a valid one.
-- Eli Schwartz