Description:

Stumbled upon this when trying to downgrade a package via ArchLinux Archive. When I called `pacman -U <url>` I got the error "package missing required signature". The package in question was already present in /var/cache/pacman/ (since it was installed previously) but signature wasn't. Apparently if pacman sees the package downloaded it proceeds to installation without checking if signature was downloaded as well.

Additional info:
* package version(s): Pacman v5.2.2 - libalpm v12.0.2

Steps to reproduce:

1. wget https://archive.archlinux.org/packages/p/python-openpyxl/python-openpyxl-3.0.5-3-any.pkg.tar.zst -O /var/cache/pacman/pkg/python-openpyxl-3.0.5-3-any.pkg.tar.zst # simulate a package being previously installed
2. rm -f /var/cache/pacman/pkg/python-openpyxl-3.0.5-3-any.pkg.tar.zst.sig # remove signature if it was present
3. pacman -U https://archive.archlinux.org/packages/p/python-openpyxl/python-openpyxl-3.0.5-3-any.pkg.tar.zst # try installing a package from url
4. Observe an error:
error: '/var/cache/pacman/pkg/python-openpyxl-3.0.5-3-any.pkg.tar.zst': package missing required signature