[pacman-dev] %PGPSIG% vs .sig

Brandon Milton brandon.milton21 at gmail.com
Mon May 29 05:31:46 UTC 2017

Hello all,

This is my first post to the mailing list, so please feel free to correct
me if I'm in the wrong place.

While exploring the pacman mirror layout (ie what is hosted by mirrors), I
noticed that for each package, there are two copies of the same signature:
one in %PGPSIG% in the desc file of the database and one in the
{package}-{version}.pkg.tar.gz.sig file

I understand that for the AUR, the .sig file is necessary given that there
is no official database. However, is there any reasoning behind having two
copies of the signature for official repositories? To me, this simply seems
like extra cruft that mirrors have to carry around.


More information about the pacman-dev mailing list