man dpkg-sig (Commandes) - Debian package archive (.deb) signature generation and verification tool


dpkg-sig - Debian package archive (.deb) signature generation and verification tool


dpkg-sig [options] --sign sign-as [archive|changes]+

dpkg-sig [options] --verify [archive]+

dpkg-sig [options] --verify-role sign-as [archive]+

dpkg-sig [options] --verify-exact sign-as [archive]+

dpkg-sig [options] --list [archive]+

dpkg-sig [options] --get-hashes sign-as [archive|changes]+

dpkg-sig [options] --sign-hashes [hashes-archive]+

dpkg-sig [options] --write-signature [hashes-archive]+


dpkg-sig creates and verifys signatures on Debian archives (.deb-files).

Use more up-level tools to install and remove packages from your system, and to verify a signature as acceptable for your system.

An usage-example is at the end of this man page.


--sign, -s
Signs a standard-conforming debian archive. sign-as gives the name of the signature (usually builder for builder of the deb, ...). The signature is done with your default key, unless specified via any explicit or implicit option (see below). If one or more changes-files are given, the md5sums inside the the changes file are also updated. If a changes file was gpg-signed, the signature is removed during updating the md5sums.
--verify, -c; --verify-name; --verify-exact
Verifys a signature on the given archive file. --verify and -c just checks all signatures, --verify-role verifies all signatures with a given role, and --verify-exact wants the exact name of the archive member (without the leading _gpg). However, both commands accept also perl regular expressions as name. All verify variants output (in turn for each signature) either a line consisting of GOODSIG, role, gpg-fingerprint and signature time (in seconds since 1970-1-1 0:00:00 UTC), or BADSIG. Starting from version 0.12, dpkg-sig returns 2 if a bad signature was found when trying to verify. If an unknown key was used to sign a .deb, dpkg-sig returns 3.
--list, -l, -t
Lists all names inside the deb that look like a signature.
--get-hashes, --sign-hashes, --write-signature
--get-hashes creates an ar archive containing a control file part and files with the md5sums of all debs named in the .changes file(s) specified on the command-line/of the deb(s) specified on the command-line. Afther that, you can transfer this (small) file to another machine, for example an offline system containing your gpg keys (Yep, that's paranoid!). --sign-hashes signs this file containing the md5sum (in fact, it replaces the md5sum parts with their signatures). Now transfer the signed file back to the machine where you created the hashes and use --write-signature to add the signatures from the archive to the deb.


-m maintainer
Specify the maintainer name to be used for signing.
-e maintainer
Same as -m but takes precedence.
-k keyid
Specify the key ID to be used for signing; overrides any -e or -m option.
Get some more details.
Gurantees that the non-verbose output will not change. Use this if you want to parse the output.
The signature format changed between version 0.10 and 0.11. If you want to verify old signatures too, try this switch.
The signature format changed between version 0.2 and 0.3. If you want to verify old signatures too, try this switch.
--cache-passphrase, -p
Caches the gpg-passphrase inside dpkg-sig. This needs the suggested package libterm-readkey-perl. Be warned: Doing this is insecure, dpkg-sig doesn't protect the memory it uses to story the passphrase in.
--sign-changes, -a [ no | auto | yes | full | force_full ]
Tells whether also sign the changes and dsc-files. The default is auto, which means that the changes-file is re-signed if it was signed before. Defaults to yes if used without a value. The other values are no (don't sign changes, and remove an exisiting signature), yes (always add a signature to changes), full (always add a signature to changes, and sign also to the dsc-file if there was no previous signature; otherwise ask) and force_full (always add a signature to both changes and dsc).
--remote-dpkg-sig, -r path
Use this if you want to specify where dpkg-sig can find the dpkg-sig executable on the remote machine. This is useful if you're not able/allowed to install dpkg-sig as a deb. To do that, copy the script to something like ~/bin/dpkg-sig on the remote system. After that, you can call your local dpkg-sig with something like the follo wing to use the remote signing/verifying features: CWdpkg-sig --sign builder -r ~/bin/dpkg-sig ssh://user@host:~/some-deb_version_arch.changes
--remote-ssh-port, -o port
Port of the sshd on the remote host. Default value is 22.


These options should normally not be used, but are here for completeness. Be warned: Use them only if you really know what you do.

For debugging purposes, logs the whole communication between the local dpkg-sig and the remote client on the remote machine in /tmp/dpkg-sig.log. Use with care.
--gpgoptions, -g gpg options
Use this to pass arbitrary options to gpg whenever a file is signed. As this can lead to broken signatures, test your changes carefully.
--passphrase-file, -f passphrase file
Tells gpg to use the passphrase in file to sign. Be warned: Doing this is insecure, DON'T use this feature. However, in some cases (e.g. automatic signing on a buildd) this could be useful, and is still better than using a gpg-key without passphrase. You can gain at least some security by putting this file on a ramdisk, but it would be better to use a gpg-agent.


The two configuration files /etc/devscripts.conf and ~/.devscripts are sourced in that order to set configuration variables. Command line options can be used to override configuration file settings. Environment variable settings are ignored for this purpose. The currently recognised variables are:

This is the -m option.
This is the -k option, and DPKGSIG_KEYID has most precedence.
This is the --sign-changes option. Valid values are no, auto, yes, full and force_full.
This is the --cache-passphrase option. Set this to a true value to enable it.


The signatures created by dpkg-sig are added in a strict standard-conforming way to the archive file. The signature itself is done on a file consisting of the name of the signature in the first line, and the md5sums of the prior contents of the archive file, that means: Including any prior signatures. With this, it is possible to verify any signature by hand with just ar, md5sum and gpg. Doing the signing on the md5sum has the advantage that it is possible to do remote signatures without transfering the whole archive file.

Please see details at <> for the moment.


dpkg-sig can sign remote files without transfering the whole file to the local machine, or the key to the remote machine. Please specify the file with CWssh://[user@]machine:/path/to/file, and have also ssh and dpkg-sig installed on the remote machine.

Remote signing supports the usual filename globbing.

Remote signing was tested, but is at the moment considered a more experimental feature.


dpkg-sig should be able to also verify signatures done by older code. This will be added in a later version.

dpkg-sig assumes that any given archive is strictly standard-compatible. This is valid for archives created by dpkg-deb - but if you're not sure about a archive, verify this yourself, or live with the risk of a bad signature.

More documentation about the signature format should be added.

Deal better with expired etc. keys and signatures.

Better inclusion into the other tools like dpkg-buildpackage.

And of course: Still missing is testing, testing and testing dpkg-sig.


A typical usage is to sign packages before a (maintainer-)upload. This can be done with running dpkg-buildpackage and afterwards calling CWdpkg-sig --sign CIbuilderCW *.changes.

If you want to do all signing with dpkg-sig you could run CWdpkg-buildpackage -uc -us and afterwards call CWdpkg-sig --sign CIbuilderCW --sign-changes CIfullCW *.changes. If you do this, there is no need to call debsign any more, as dpkg-sig does all the signing for you.

If you don't want to type in your passphrase multiple times, then you could add the option --cache-passphrase.

The options --sign-changes and --cache-passphrase could be replaced with setting the variables DPKGSIG_SIGN_CHANGES respectivly DPKGSIG_CACHE_PASS (set the later one set to a true value) in ~/.devscripts.

The key-id is automatically set from /etc/devscripts.conf and ~/.devscripts, but could be overriden via command line, or a special variable there (see above).


deb(5), debsign(1), dpkg-deb(8), /usr/share/doc/dpkg-sig/


dpkg-sig and this manpage were written by Andreas Barth und Marc Brockschmidt. They are Copyright (C) 2003, 2004 by them and released under the GNU General Public Licence version 2 or later; there is NO WARRANTY. See /usr/share/doc/dpkg-sig/copyright and /usr/share/common-licenses/GPL for details. Some parts of this manpage are taken from debsign.