[pacman-dev] %PGPSIG% vs .sig

David Phillips david at sighup.nz
Mon May 29 21:42:53 UTC 2017

On Mon, May 29, 2017 at 02:33:29PM -0700, Brandon Milton wrote:
> Thank you for the clarification. After reading Allan's blog post regarding
> keychain separation [1], I understand where my confusion was.
> To reiterate what I've learned:
> The .sig file allows the user to download a built package and verify it
> outside of a database setting using `pacman -U`.

That is correct.

> The .sig files in the AUR are entirely different than those used by pacman,
> as they verify the source files, not the generated .tar.xz files.

Yes. They are the same type of file, and will be generated in much the same
way, but the domains in which they are used are separate, like you say.

> Furthermore, there should never be a .sig file for a .tar.xz resulting from
> `makepkg` since the generated binaries are system-independent.

I would not say that this is correct. makepkg can help you to generate
.sig files for the .pkg.tar.xz built packages that it outputs. However, this
is rarely done for AUR packages unless the builder is distributing the
package in binary form, for example, to put on an Unofficial User Repository
hosting package binaries.

> Thank you all for your help.
> [1]
> http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/

More information about the pacman-dev mailing list