Thank you for the clarification. After reading Allan's blog post regarding keychain separation [1], I understand where my confusion was. To reiterate what I've learned: The .sig file allows the user to download a built package and verify it outside of a database setting using `pacman -U`. The .sig files in the AUR are entirely different than those used by pacman, as they verify the source files, not the generated .tar.xz files. Furthermore, there should never be a .sig file for a .tar.xz resulting from `makepkg` since the generated binaries are system-independent. Thank you all for your help. [1] http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arc... On Mon, May 29, 2017 at 2:23 PM, David Phillips <david@sighup.nz> wrote:
On Tue, May 30, 2017 at 09:17:28AM +1200, David Phillips wrote:
On Mon, May 29, 2017 at 10:37:02PM +0200, Bruno Pagani wrote:
Just one thing: AFAIK, they are no .sig files in the AUR.
Of course not; the AUR does not host any built packages. Only built packages have .sig files.
On the other hand, you can configure makepkg to sign the packages it builds and this will generate a .sig file when you build a package locally.
Pardon me, I got the wrong end of the stick and thought you were replying to Allan, the tone of my message isn't what it should be.
Thanks
-- -Brandon Milton brandon.milton21@gmail.com http://brandonio21.com