]]>https://bbs.archlinux.org/profile.php?id=1142212018-12-02T12:06:42Zhttps://bbs.archlinux.org/viewtopic.php?pid=1819658#p1819658Signatures can exist on disk, if you created them yourself and signed the package as well. Or if you use pacman -U http://example.com/foo-1-1-any.pkg.tar.xz then pacman will first download the package to the cache, then download the signature to the cache, then check both and maybe install the package.
It's purely in the case of pacman -S where pacman will extract the sigfile directly from the database.
]]>https://bbs.archlinux.org/profile.php?id=841872018-11-25T02:15:15Zhttps://bbs.archlinux.org/viewtopic.php?pid=1818527#p1818527They are stored in the database itself.]]>https://bbs.archlinux.org/profile.php?id=633852018-11-22T14:44:51Zhttps://bbs.archlinux.org/viewtopic.php?pid=1818091#p1818091I don't think the sig files are stored locally. Looking at the code (note: I am not a C programmer, so my interpretation may not be correct), I think they are downloaded to memory during the transaction, then removed afterwards. I think this has always been the case, as my cache dir (which I have used since 2011, and never cleaned) only has four .sig files (out of 26212 files), and I'm pretty sure these were special cases (where I downloaded the sig files manually or something).]]>https://bbs.archlinux.org/profile.php?id=380912018-11-22T14:21:11Zhttps://bbs.archlinux.org/viewtopic.php?pid=1818084#p1818084My /var/cache/pacman/pkg used to contain .sig files I thought, but now it just has .pkg.tar.xz files. Where does pacman store the .sig files for each package it gets from the repo?]]>https://bbs.archlinux.org/profile.php?id=1142212018-11-22T12:38:51Zhttps://bbs.archlinux.org/viewtopic.php?pid=1818072#p1818072