It seems the Arch Linux repository isn't signed properly

[tengwar]

Some time ago you started signing your packages (kudos for that :) ), so the repo worked with SigLevel = Required TrustAll. It's not working anymore and I get the following error when trying to update from version 3.0.1-7 to 3.0.1-14:

:: Proceed with installation? [Y/n] (8/8) checking keys in keyring (8/8) checking package integrity error: megasync: missing required signature error: failed to commit transaction (invalid or corrupted package) Errors occurred, no packages were upgraded.

I really don't want to install unsigned packages, because that's a possible security hole. Can you please start signing the packages again?

[polmr]

Hi @tengwar, I'm afraid we have never signed the packages due to some technical reasons. Nothing has changed in that respect between 3.0.1-7 to 3.0.1-14. However we do sign the database of the repository. You can enforce checking that the repo db is signed with SigLevel = Optional DatabaseRequired TrustAll. Thus, you ensure the repo database is correctly signed, hence the database is trustworthy and in the end that the packages have not been tampered with.

[tengwar]

For some reason pacman has worked before with Required TrustAll. Weird.

So the database contains not only the package names and versions, but also their hashes? Then separate signing of packages really doesn't seem to be necessary if repo owner is the same entity that codes and builds the contents of the repo. Thanks for the explanation. :)