I can install packages with pamac that in the manjaro repo has no .sig file and with pacman I can’t do it. I detected this after this update, I don’t know is this is old or is because of some update in this release.
Which package?
Someone in telegram commented that he can’t install a package with pacman, give error about missing .sig, but with pamac was able to do it, then I tested deleting a .sig from the my local repo (calc-2.13.0.1-2-x86_64.pkg.tar.zst.sig) and with pacman I can’t install calc, but with pamac was possible to install it. I tried to file a bug in development forum but I can’t do it (disabled post button), I posted here because my system are in the testing branch and the last update I installed is this.
1 Like
All packages in the official repo is signed.
Local packages can be installed without signature - this is the pacman defaults.
When you install a local package you are usually using the -U and when remote -S.
Yes, that part I know, but I am talking about installing it from a repo, not a local installation. I delete the .sig in the repo I am using for update install packages and using pacman (as the pacman.conf don’t allow it) I can’t install, but pamac will install that package from the repo.
I sounds like you are using your own online repo - or something similar.
You have most likely seen this example in pacman.conf
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
In that case you have added the repo to pacman.conf - something like
[repo-name]
Server = http://someserver.tld/repo
Changing the section to
[repo-name]
Server = http://someserver.tld/repo
SigLevel = Optional TrustAll
Will make your system pacman install without complaints on missing signatures.
So you’re saying pamac is skipping the signature check (at least when there is no .sig) although it’s enabled in the pacman.conf ? 
You can file a bug report here:
I am using a full mirror from mirror.alpix.eu::manjaro/ to a local server, using that as my repo for manjaro systems (modifying /etc/pacman.d/mirrorlist to point to that local repo), and in that repo I delete a .sig file, now pacman will not install the package (I know that you can change that behavior in pacman.conf), but pamac will do it and my fear that this is a bug will allow anyone to modifies a package for whatever reason and pamac will not complain about it.
Yes, will try to do that, thanks.
Thank you for clearing up the why and how 
I see - I think that specific behaviour is undesired - and the best you can do is to file a report at gitlab.
I filed the report at pamac allow installation of a package from a repo without a .sig file. (#9) · Issues · Applications / libpamac · GitLab, thanks.
2 Likes