[arch-general] Clarification on pacman signature verification

[Solomon Lam]

Thanks for the reply. I think I got my answer.

I noticed that the 'desc' file of a package(inside the db) contains 'md5'
and 'sha256' checksums as well. So, does pacman perform pgp verification or
checksum verification during installation?

On Mon, Jan 25, 2016 at 8:08 PM, Eli Schwartz <eschwartz93 at gmail.com> wrote:

> On 01/25/2016 04:43 AM, Solomon Lam wrote:
> > Hi, This is regarding package verification performed by pacman.
> >
> > Does pacman download the .sig file of a package while installing one?
> All I
> > could find are the local cached copies of packages only but not their
> > signatures. If thats the case, how does pacman verify the integrity of
> the
> > downloaded package?
> > It could be that .sig file could have been downloaded into /tmp during
> > installation or to another location that I'm not aware yet. This brings
> me
> > to my next point.
> >
> > I've manually downloaded just the package file (of some random package)
> > from a mirror and disconnected from the Internet. I used both 'pacman -U
> > <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the
> > installation went just fine. I was expecting Pacman to emit an error
> > stating that signature was missing but nothing happened. Could someone
> care
> > to explain this.
> > BTW, I have SigLevel = Required DatabaseOptional  in my pacman.conf.
> >
> > - Solomon
> >
>
> Packages from the Sync database have their signatures (if any) embedded
> in the db itself.
>
> If you really don't trust your own computer, set:
> LocalFileSigLevel = Required
>
> That will make installing AUR packages slightly awkward...
>
>
> Local files default to Optional, Remote files to Required, so if you use
> `pacman -U http://address.of/package.tar.xz` then it will download the
> package *and* signature for you, once there is a *.sig pacman will
> demand it be a valid one.
>
> --
> Eli Schwartz
>