FS#69608 - pacman -U <url> fails if package is already in cache but signature isn't

Attached to Project: Pacman
Opened by Platon Pronko (Rogach) - Wednesday, 10 February 2021, 08:52 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 10 February 2021, 12:10 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Stumbled upon this when trying to downgrade a package via ArchLinux Archive. When I called `pacman -U <url>` I got the error "package missing required signature". The package in question was already present in /var/cache/pacman/ (since it was installed previously) but signature wasn't. Apparently if pacman sees the package downloaded it proceeds to installation without checking if signature was downloaded as well.

Additional info:
* package version(s): Pacman v5.2.2 - libalpm v12.0.2

Steps to reproduce:

1. wget https://archive.archlinux.org/packages/p/python-openpyxl/python-openpyxl-3.0.5-3-any.pkg.tar.zst -O /var/cache/pacman/pkg/python-openpyxl-3.0.5-3-any.pkg.tar.zst # simulate a package being previously installed
2. rm -f /var/cache/pacman/pkg/python-openpyxl-3.0.5-3-any.pkg.tar.zst.sig # remove signature if it was present
3. pacman -U https://archive.archlinux.org/packages/p/python-openpyxl/python-openpyxl-3.0.5-3-any.pkg.tar.zst # try installing a package from url
4. Observe an error:
error: '/var/cache/pacman/pkg/python-openpyxl-3.0.5-3-any.pkg.tar.zst': package missing required signature
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Wednesday, 10 February 2021, 12:10 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#33992 

Loading...