[pacman-dev] %PGPSIG% vs .sig

Allan McRae allan at archlinux.org
Mon May 29 06:00:24 UTC 2017

On 29/05/17 15:31, Brandon Milton wrote:
> Hello all,
> This is my first post to the mailing list, so please feel free to correct
> me if I'm in the wrong place.
> While exploring the pacman mirror layout (ie what is hosted by mirrors), I
> noticed that for each package, there are two copies of the same signature:
> one in %PGPSIG% in the desc file of the database and one in the
> {package}-{version}.pkg.tar.gz.sig file
> I understand that for the AUR, the .sig file is necessary given that there
> is no official database. However, is there any reasoning behind having two
> copies of the signature for official repositories? To me, this simply seems
> like extra cruft that mirrors have to carry around.

pacman -U http://....

will download a signature file for the package if one is present.

More information about the pacman-dev mailing list