[pacman-dev] %PGPSIG% vs .sig
Allan McRae
allan at archlinux.org
Mon May 29 06:00:24 UTC 2017
On 29/05/17 15:31, Brandon Milton wrote:
> Hello all,
>
> This is my first post to the mailing list, so please feel free to correct
> me if I'm in the wrong place.
>
> While exploring the pacman mirror layout (ie what is hosted by mirrors), I
> noticed that for each package, there are two copies of the same signature:
> one in %PGPSIG% in the desc file of the database and one in the
> {package}-{version}.pkg.tar.gz.sig file
>
>
> I understand that for the AUR, the .sig file is necessary given that there
> is no official database. However, is there any reasoning behind having two
> copies of the signature for official repositories? To me, this simply seems
> like extra cruft that mirrors have to carry around.
>
pacman -U http://....
will download a signature file for the package if one is present.
More information about the pacman-dev
mailing list