[pacman-dev] %PGPSIG% vs .sig

Brandon Milton brandon.milton21 at gmail.com
Mon May 29 21:33:29 UTC 2017


Thank you for the clarification. After reading Allan's blog post regarding
keychain separation [1], I understand where my confusion was.

To reiterate what I've learned:

The .sig file allows the user to download a built package and verify it
outside of a database setting using `pacman -U`.

The .sig files in the AUR are entirely different than those used by pacman,
as they verify the source files, not the generated .tar.xz files.
Furthermore, there should never be a .sig file for a .tar.xz resulting from
`makepkg` since the generated binaries are system-independent.

Thank you all for your help.

[1]
http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/

On Mon, May 29, 2017 at 2:23 PM, David Phillips <david at sighup.nz> wrote:

> On Tue, May 30, 2017 at 09:17:28AM +1200, David Phillips wrote:
> > On Mon, May 29, 2017 at 10:37:02PM +0200, Bruno Pagani wrote:
> > >
> > > Just one thing: AFAIK, they are no .sig files in the AUR.
> > >
> >
> > Of course not; the AUR does not host any built packages.
> > Only built packages have .sig files.
> >
> > On the other hand, you can configure makepkg to sign the packages it
> builds
> > and this will generate a .sig file when you build a package locally.
> >
>
> Pardon me, I got the wrong end of the stick and thought you were replying
> to Allan, the tone of my message isn't what it should be.
>
> Thanks
>



-- 
-Brandon Milton
brandon.milton21 at gmail.com
http://brandonio21.com


More information about the pacman-dev mailing list