[arch-general] Clarification on pacman signature verification

Solomon Lam phrackmod at gmail.com
Mon Jan 25 09:43:24 UTC 2016


Hi, This is regarding package verification performed by pacman.

Does pacman download the .sig file of a package while installing one? All I
could find are the local cached copies of packages only but not their
signatures. If thats the case, how does pacman verify the integrity of the
downloaded package?
It could be that .sig file could have been downloaded into /tmp during
installation or to another location that I'm not aware yet. This brings me
to my next point.

I've manually downloaded just the package file (of some random package)
from a mirror and disconnected from the Internet. I used both 'pacman -U
<pkg-name>' and 'pacman -S <pkg-name>' to install the package and the
installation went just fine. I was expecting Pacman to emit an error
stating that signature was missing but nothing happened. Could someone care
to explain this.
BTW, I have SigLevel = Required DatabaseOptional  in my pacman.conf.

- Solomon


More information about the arch-general mailing list