Thank you for the clarification. After reading Allan's blog post regarding keychain separation [1], I understand where my confusion was.
To reiterate what I've learned: The .sig file allows the user to download a built package and verify it outside of a database setting using `pacman -U`. The .sig files in the AUR are entirely different than those used by pacman, as they verify the source files, not the generated .tar.xz files. Furthermore, there should never be a .sig file for a .tar.xz resulting from `makepkg` since the generated binaries are system-independent. Thank you all for your help. [1] http://allanmcrae.com/2015/01/two-pgp-keyrings-for-package-management-in-arch-linux/ On Mon, May 29, 2017 at 2:23 PM, David Phillips <[email protected]> wrote: > On Tue, May 30, 2017 at 09:17:28AM +1200, David Phillips wrote: > > On Mon, May 29, 2017 at 10:37:02PM +0200, Bruno Pagani wrote: > > > > > > Just one thing: AFAIK, they are no .sig files in the AUR. > > > > > > > Of course not; the AUR does not host any built packages. > > Only built packages have .sig files. > > > > On the other hand, you can configure makepkg to sign the packages it > builds > > and this will generate a .sig file when you build a package locally. > > > > Pardon me, I got the wrong end of the stick and thought you were replying > to Allan, the tone of my message isn't what it should be. > > Thanks > -- -Brandon Milton [email protected] http://brandonio21.com
