[arch-general] Clarification on pacman signature verification
Eli Schwartz
eschwartz93 at gmail.com
Mon Jan 25 19:25:28 UTC 2016
On 01/25/2016 01:35 PM, Solomon Lam wrote:
> Thanks for the reply. I think I got my answer.
>
> I noticed that the 'desc' file of a package(inside the db) contains 'md5'
> and 'sha256' checksums as well. So, does pacman perform pgp verification or
> checksum verification during installation?
It just uses the best verification available.
Test it by running `pacman -Sw --debug somepackage`
Any package in the main repos will have a signature -- it will only
verify that.
A custom repo for AUR packages (I keep one) will likely not be signed,
and if not will be verified with sha256sum.
md5sum is only there for old times' sake I think. I guess if you have a
repo generated by really old versions of repo-add, it will only have an
md5sum and verify that.
--
Eli Schwartz
More information about the arch-general
mailing list