This applies to almost all modern linux package managers.
PGP is typically used to sign a collection of hashes (and other metadata). PGP is generally only used at package install/build time, and the subsequently installed/generated manifest is used when you ask the package manager to verify the package.
PGP is typically used to sign a collection of hashes (and other metadata). PGP is generally only used at package install/build time, and the subsequently installed/generated manifest is used when you ask the package manager to verify the package.