On Mon, May 29, 2017 at 02:33:29PM -0700, Brandon Milton wrote:
Thank you for the clarification. After reading Allan's blog post regarding keychain separation [1], I understand where my confusion was.
To reiterate what I've learned:
The .sig file allows the user to download a built package and verify it outside of a database setting using `pacman -U`.
That is correct.
The .sig files in the AUR are entirely different than those used by pacman, as they verify the source files, not the generated .tar.xz files.
Yes. They are the same type of file, and will be generated in much the same way, but the domains in which they are used are separate, like you say.
Furthermore, there should never be a .sig file for a .tar.xz resulting from `makepkg` since the generated binaries are system-independent.
I would not say that this is correct. makepkg can help you to generate .sig files for the .pkg.tar.xz built packages that it outputs. However, this is rarely done for AUR packages unless the builder is distributing the package in binary form, for example, to put on an Unofficial User Repository hosting package binaries.
Thank you all for your help.
[1] http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arc...