Hi,
Are packages/databases in the Archlinux ARM repositories usually signed? I'm running Archlinux ARM on a Raspberry Pi.
I believe that I have gone through the necessary steps to enable signature checking on packages (pacman-key --init, pacman-key --populate archlinux), and have set
$this->bbcode_second_pass_code('', 'SigLevel = Required DatabaseOptional TrustedOnly')
in pacman.conf (I have not set individual SigLevel for different repositories).
Whenever I try to update or install new packages with pacman with the above SigLevel, the databases are updated fine and packages download, but refuse to install due to missing signatures, giving errors like
$this->bbcode_second_pass_code('', 'error: mpfr: missing required signature
:: File /var/cache/pacman/pkg/mpfr-3.1.2-1-armv6h.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]')
To enable me to update and install packages I have set the SigLevel back to
$this->bbcode_second_pass_code('', 'SigLevel = Optional TrustedOnly')
which no longer requires packages to be signed, only that packages that are signed are signed correctly.
It looks like the packages in the Archlinux ARM repositories are not signed, but it is also possible that there is something wrong with my signature checking setup. I'd appreciate it if someone could let me know if the packages/databases are signed.
Thanks.