6

In rpm-based systems, we can easily see if there is a signature associated with an rpm file:

rpm -qpi <rpm-file.rpm> | grep -i signature

For .deb files, we can see the package information but it doesn't include the information of whether a signature is associated or not:

dpkg-deb -I uma-18feb-latest.deb

Is there a way in Ubuntu to see the signature without using the following command which actually verifies the signature?

dpkg-sig --verify <deb-file.deb>
terdon
  • 242,166
Sourav Bhattacharjee
  • 173
  • 1
  • 7

2 Answers2

7
dpkg-sig --list <deb-file.deb>

will list any items in the file which look like a signature, without verifying the file. This will list the role of any signature in the file; e.g.

$ dpkg-sig -l vuescan_9.7.50-1_amd64.deb
Processing vuescan_9.7.50-1_amd64.deb...
builder
$ dpkg-sig -l zstd_1.4.8+dfsg-2.1_i386.deb
Processing zstd_1.4.8+dfsg-2.1_i386.deb...
$

The first file has a signature with the “builder” role; the second file isn’t signed.

Note that it’s unusual for individual .deb files to be signed (unlike RPMs). Debian packages’ authenticity relies on the repository’s authenticity; see How is the authenticity of Debian packages guaranteed?

Stephen Kitt
  • 434,908
  • This helped me to check if there is a signature associated with the .deb file. To verify "$?" equals 0 when there is no signature. – Sourav Bhattacharjee Mar 09 '21 at 06:26
  • Is there a way to verify if the package contains a signature in vanilla Ubuntu without installing anything like dpkg-sig ? Basically where the user does not have sudo permission and can't install anything. – Sourav Bhattacharjee Mar 20 '21 at 17:44
  • Yes, ar -x package.deb will list the files in raw archive, and signed packages will have files starting with _gpg. – Stephen Kitt Apr 01 '21 at 15:21
  • 1
    I'd recommend against dpkg-sig, which is not part of the dpkg tool suite, nor supported by it. The ones supported by dpkg are debsigs and debsig-verify. But those still need to get modified to use a different signature layout so that such signed packages could get accepted in the Debian archive (where they are currently being rejected). See https://wiki.debian.org/Teams/Dpkg/Spec/DebSignatures for a draft. – Guillem Jover Aug 01 '21 at 22:59
0

While it is true that for .deb packages, the entire repository should be signed, i.e. Release.gpg file, individual packages can be signed too

for i in *.deb; do
    ar -p "$i" _gpgbuilder 2>/dev/null | grep "^Signer";
done
shiftF5
  • 21