In rpm-based systems, we can easily see if there is a signature associated with an rpm file:
rpm -qpi <rpm-file.rpm> | grep -i signature
For .deb files, we can see the package information but it doesn't include the information of whether a signature is associated or not:
dpkg-deb -I uma-18feb-latest.deb
Is there a way in Ubuntu to see the signature without using the following command which actually verifies the signature?
dpkg-sig --verify <deb-file.deb>
Best Answer
will list any items in the file which look like a signature, without verifying the file. This will list the role of any signature in the file; e.g.
The first file has a signature with the “builder” role; the second file isn’t signed.
Note that it’s unusual for individual
.deb
files to be signed (unlike RPMs). Debian packages’ authenticity relies on the repository’s authenticity; see How is the authenticity of Debian packages guaranteed?