[pacman-dev] Checking whether a package was signed
Dan McGee
dpmcgee at gmail.com
Sat Jan 21 16:06:22 EST 2012
On Sat, Jan 21, 2012 at 2:48 PM, kachelaqa <kachelaqa at gmail.com> wrote:
> On 21/01/12 19:57, Dan McGee wrote:
>>
>> On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa<kachelaqa at gmail.com> wrote:
>>>
>>> I'm still trying to get to grips with package signing, so this question
>>> may
>>> not make complete sense, but:
>>>
>>> Is there a way to check whether the signature was verified when a package
>>> was installed?
>>
>> No. However, -Si shows the presence of a signature and the various
>> checksums (MD5, SHA256) in the database.
>
>
> Okay, thanks.
>
> Can I ask why this is? I would have expected there to be a least a log
> message somewhere.
It is a debug level message if one cares to look there. Obviously this
isn't all that helpful for the general end user though.
> ISTM that many users might want to know which installed packages on their
> systems have verified signatures, and which ones not. Would they be
> misguided in seeking that information?
Not misguided, but not something we currently track or anything. I
don't think we'd be against tracking this in some sort of
%VERIFICATION% field or something in the database; this could store
something like "md5", "sha256", "pgp", "none", etc. But it isn't
something we are likely to sit down and code; patches definitely
welcome.
-Dan
More information about the pacman-dev
mailing list