[arch-general] Clarification on pacman signature verification
Eli Schwartz
eschwartz93 at gmail.com
Mon Jan 25 14:38:42 UTC 2016
On 01/25/2016 04:43 AM, Solomon Lam wrote:
> Hi, This is regarding package verification performed by pacman.
>
> Does pacman download the .sig file of a package while installing one? All I
> could find are the local cached copies of packages only but not their
> signatures. If thats the case, how does pacman verify the integrity of the
> downloaded package?
> It could be that .sig file could have been downloaded into /tmp during
> installation or to another location that I'm not aware yet. This brings me
> to my next point.
>
> I've manually downloaded just the package file (of some random package)
> from a mirror and disconnected from the Internet. I used both 'pacman -U
> <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the
> installation went just fine. I was expecting Pacman to emit an error
> stating that signature was missing but nothing happened. Could someone care
> to explain this.
> BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf.
>
> - Solomon
>
Packages from the Sync database have their signatures (if any) embedded
in the db itself.
If you really don't trust your own computer, set:
LocalFileSigLevel = Required
That will make installing AUR packages slightly awkward...
Local files default to Optional, Remote files to Required, so if you use
`pacman -U http://address.of/package.tar.xz` then it will download the
package *and* signature for you, once there is a *.sig pacman will
demand it be a valid one.
--
Eli Schwartz
More information about the arch-general
mailing list