[arch-general] Clarification on pacman signature verification

Doug Newgard scimmia at archlinux.info
Mon Jan 25 14:37:26 UTC 2016


On Mon, 25 Jan 2016 15:13:24 +0530
Solomon Lam <phrackmod at gmail.com> wrote:

> Hi, This is regarding package verification performed by pacman.
> 
> Does pacman download the .sig file of a package while installing one? All I
> could find are the local cached copies of packages only but not their
> signatures. If thats the case, how does pacman verify the integrity of the
> downloaded package?
> It could be that .sig file could have been downloaded into /tmp during
> installation or to another location that I'm not aware yet. This brings me
> to my next point.
> 
> I've manually downloaded just the package file (of some random package)
> from a mirror and disconnected from the Internet. I used both 'pacman -U
> <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the
> installation went just fine. I was expecting Pacman to emit an error
> stating that signature was missing but nothing happened. Could someone care
> to explain this.
> BTW, I have SigLevel = Required DatabaseOptional  in my pacman.conf.
> 
> - Solomon

Signatures are kept in the databases.


More information about the arch-general mailing list