[arch-general] Clarification on pacman signature verification

[Eli Schwartz]

On 01/25/2016 04:43 AM, Solomon Lam wrote:
> Hi, This is regarding package verification performed by pacman.
> 
> Does pacman download the .sig file of a package while installing one? All I
> could find are the local cached copies of packages only but not their
> signatures. If thats the case, how does pacman verify the integrity of the
> downloaded package?
> It could be that .sig file could have been downloaded into /tmp during
> installation or to another location that I'm not aware yet. This brings me
> to my next point.
> 
> I've manually downloaded just the package file (of some random package)
> from a mirror and disconnected from the Internet. I used both 'pacman -U
> <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the
> installation went just fine. I was expecting Pacman to emit an error
> stating that signature was missing but nothing happened. Could someone care
> to explain this.
> BTW, I have SigLevel = Required DatabaseOptional  in my pacman.conf.
> 
> - Solomon
> 

Packages from the Sync database have their signatures (if any) embedded
in the db itself.

If you really don't trust your own computer, set:
LocalFileSigLevel = Required

That will make installing AUR packages slightly awkward...


Local files default to Optional, Remote files to Required, so if you use
`pacman -U http://address.of/package.tar.xz` then it will download the
package *and* signature for you, once there is a *.sig pacman will
demand it be a valid one.

-- 
Eli Schwartz