On 01/25/2016 01:35 PM, Solomon Lam wrote:
Thanks for the reply. I think I got my answer.
I noticed that the 'desc' file of a package(inside the db) contains 'md5' and 'sha256' checksums as well. So, does pacman perform pgp verification or checksum verification during installation?
It just uses the best verification available. Test it by running `pacman -Sw --debug somepackage` Any package in the main repos will have a signature -- it will only verify that. A custom repo for AUR packages (I keep one) will likely not be signed, and if not will be verified with sha256sum. md5sum is only there for old times' sake I think. I guess if you have a repo generated by really old versions of repo-add, it will only have an md5sum and verify that. -- Eli Schwartz