dpkg-sig - Debian package archive (.deb) signature generation and verification
dpkg-sig [options] --sign role
dpkg-sig [options] --verify [archive]
dpkg-sig [options] --verify-role role
dpkg-sig [options] --verify-exact member
dpkg-sig [options] --list [archive]
dpkg-sig [options] --get-hashes role
dpkg-sig [options] --sign-hashes [hashes-archive]
dpkg-sig [options] --write-signature
creates and verifies signatures on Debian archives (.deb-files).
Use higher-level tools to install and remove packages from your system, and to
verify a signature as acceptable for your system.
A usage example can be found at the end of this man page.
- --sign, -s role
- Signs a standard-conforming Debian archive. role
gives the name of the signature (usually 'builder' for the builder of the
.deb). The signature is made using your default key, unless specified via
any explicit or implicit option (see below).
If one or more .changes-files are given, the md5sums inside the .changes
file(s) are also updated.
If a .changes file was gpg-signed, the signature is removed when updating
- --verify, -c; --verify-role;
- Verifies a signature on the given archive file.
--verify and -c just check all signatures;
--verify-role verifies all signatures with a given role, and
--verify-exact wants the exact name of the archive member (without
the leading _gpg). However, both commands also accept perl regular
expressions as the name.
All verify variants output (in turn for each signature) either a line
consisting of GOODSIG, role, gpg-fingerprint and signature time (in
seconds since 1970-1-1 0:00:00 UTC), or BADSIG.
Starting from version 0.12, dpkg-sig returns 2 if a bad signature was
found when trying to verify. If an unknown key was used to sign a .deb,
dpkg-sig returns 3.
- --list, -l, -t
- Lists all names inside the deb that look like a
- --get-hashes, --sign-hashes,
- --get-hashes creates an ar(1) archive
containing a control file part and files with the digests of all the .debs
specified on the command-line or named in the .changes file(s) specified
on the command-line.
After that, you can transfer this (small) file to another machine, for
example an offline system containing your gpg keys. (Yep, that's
--sign-hashes then signs this file containing the digests (in fact,
it replaces the digests parts with their signatures).
Now transfer the signed file back to the machine where you created the
hashes and use --write-signature to add the signatures from the
archive to the deb.
- -m maintainer
- Specify the maintainer name to be used for signing.
- -e maintainer
- Same as -m but takes precedence.
- -k keyid
- Specify the key ID to be used for signing; overrides any
-e or -m option.
- Get some more details.
- Gurantees that the non-verbose output will not change. Use
this if you want to parse the output.
- The signature format changed between version 0.10 and 0.11.
If you want to verify old signatures too, try this switch.
- The signature format changed between version 0.2 and 0.3.
If you want to verify old signatures too, try this switch.
- --cache-passphrase, -p
- Caches the gpg-passphrase inside dpkg-sig. This
needs the suggested package "libterm-readkey-perl".
Be warned: Doing this is insecure, dpkg-sig doesn't protect the
memory it uses to store the passphrase.
- --sign-changes, -a [ no | auto | yes | full |
- Tells whether also sign the .changes and .dsc-files. The
default is auto, which means that the .changes-file is re-signed if
it was signed before.
The other values are no (don't sign .changes, and remove an existing
signature), yes (always add a signature to .changes), full
(always add a signature to .changes, and also sign the .dsc-file if there
was no previous signature; otherwise ask) and force_full (always
add a signature to both the .changes and .dsc files).
- --remote-dpkg-sig, -r path
- Use this if you want to specify where dpkg-sig can
find the dpkg-sig executable on the remote machine.
This is useful if you're not able/allowed to install dpkg-sig as a
.deb. To do that, copy the script to something like ~/bin/dpkg-sig
on the remote system. After that, you can call your local dpkg-sig
with something like the following to use the remote signing/verifying
"dpkg-sig --sign builder -r ~/bin/dpkg-sig
- --remote-ssh-port, -o port
- Port of the sshd on the remote host. Default value
These options should normally not be used, but are here for completeness. Be
warned: Use them only if you really know what you are doing.
- --gpgoptions, -g gpg options
- Use this to pass arbitrary options to gpg(1)
whenever a file is signed. As this can lead to broken signatures, test
your changes carefully.
- --passphrase-file, -f passphrase
- Tells gpg to use the passphrase in file to sign.
Be warned: Doing this is insecure, DON'T use this feature. However, in some
cases (e.g. automatic signing on a buildd) this could be useful, and is
still better than using a gpg-key without passphrase. You can gain at
least some security by putting this file on a ramdisk, but it would be
better to use gpg-agent(1).
The two configuration files /etc/devscripts.conf
are sourced in that order to set configuration variables. Command line options
can be used to override configuration file settings. Environment variable
settings are ignored for this purpose. The currently recognised variables are:
- This is the -m option.
- DEBSIGN_KEYID, DPKGSIG_KEYID
- This is the -k option, and DPKGSIG_KEYID has
- This is the --sign-changes option. Valid values are
no, auto, yes, full and
- This is the --cache-passphrase option. Set this to a
true value to enable it.
The signatures created by dpkg-sig
are added in a strict
standard-conforming way to the .deb archive file. The signature itself is made
on a file formatted like a Debian control file. The fields of this file are:
Version, specifying a dpkg-sig
file version number; Signer, giving the
name of the signer; Date and Role, and finally Files, which gives the digests
of the prior contents of the .deb archive file. Note that this includes any
prior signatures made by dpkg-sig
. Thus it is possible to verify any
signature by hand with just ar
(1). Signing a list of digests has the advantage that it is
possible to perform remote signatures without transferring the whole archive
file. This does require one to trust the remote machine, though!
can sign remote files using ssh
(1) without transferring
the whole file to the local machine, or the key to the remote machine. Simply
specify the file with "ssh://[user@]machine:/path/to/file", and have
installed on the remote machine. (See also the
Remote signing supports the usual filename globbing.
Remote signing has been tested, but is at the moment considered a more
should be able to also verify signatures made by older code.
This may be added in a later version.
assumes that any given archive is strictly standard-compatible.
This is valid for archives created by dpkg-deb
- but if you're not sure
about a archive, verify this yourself, or live with the risk of a bad
More documentation about the signature format should be added.
Deal better with expired etc. keys and signatures.
Better inclusion into the other tools like dpkg-buildpackage
And of course: Still missing is testing, testing and testing dpkg-sig
A typical use is to sign packages before a (maintainer-)upload. This can be done
by running dpkg-buildpackage
and afterwards calling "dpkg-sig
--sign builder *.changes".
If you want to do all signing with dpkg-sig
you could run
"dpkg-buildpackage -uc -us" and afterwards call "dpkg-sig
--sign builder --sign-changes full *.changes". If you do this, there is
no need to call debsign
any more, as dpkg-sig
does all the
signing for you.
If you don't want to type in your passphrase multiple times, then you could add
the option --cache-passphrase
The options --sign-changes
replaced with setting the variables DPKGSIG_SIGN_CHANGES
(set the later one set to a true value) in
The key-id is automatically set from /etc/devscripts.conf
, but could be overridden via the -m
command line options (see above).
and this manpage were written by Andreas Barth and Marc
Brockschmidt. They are Copyright (C) 2003-2006 by them and released under the
GNU General Public Licence version 2 or later; there is NO WARRANTY. See
for details. Some parts of this manpage
are taken from debsign.