On 29/05/17 15:31, Brandon Milton wrote:
Hello all,
This is my first post to the mailing list, so please feel free to correct me if I'm in the wrong place.
While exploring the pacman mirror layout (ie what is hosted by mirrors), I noticed that for each package, there are two copies of the same signature: one in %PGPSIG% in the desc file of the database and one in the {package}-{version}.pkg.tar.gz.sig file
I understand that for the AUR, the .sig file is necessary given that there is no official database. However, is there any reasoning behind having two copies of the signature for official repositories? To me, this simply seems like extra cruft that mirrors have to carry around.
pacman -U http://.... will download a signature file for the package if one is present.