debsigs(1) process signatures in .deb packages


debsigs --list|-l [-v] file [file...]

debsigs --sign=type [--default-key=keyID] [-v] file [file...]

debsigs --verify|--check|-c file [file...]

debsigs --delete=type file [file...]


debsigs is used to manipulate the cryptographic signatures stored inside a .deb file. It is not used to verify those signatures; for that purpose, see debsig-verify(1).


--list or -l or -t
Lists the signatures found in the specified file.
Creates a new signature of the type specified in the given file. The signature will be created using the default key for your GPG keyring. See ``SIGNATURE TYPES'' below for possible values of the "type" field.
Uses a key other than the default for signing the package.
--secret-keyring=file or -K file
Uses a keyring other than the default for signing the package. This option is passed along to GPG verbatim; see the discussion in the gpg(1) manpage for information on how to specify the keyring file.
Displays verbose output.
--verify or --check or -c
Invokes debsig-verify to check the validity of the signature on this package.
Deletes the signature of the specified type from the package.


A Debian package may carry different types of signatures. The most commonly-used ones are:
  • "origin"

    The official signature of the organization which distributes the package, usually the Debian Project or a GNU/Linux distribution derived from it. This signature may be added automatically.

  • "maint"

    The signature of the maintainer of the Debian package. This signature should be added by the maintainer before uploading the package.

  • "archive"

    An automatically-added signature renewed periodically to ensure that a package downloaded from an online archive is indeed the latest version distributed by the organization.

See the /usr/share/doc/debsigs/signing-policy.txt file for more information and rationale for the different signature types.


It would be nice to have a command-line option to change the command used for signing, instead of hard-coding ``gpg''.


John Goerzen <[email protected]>