Security – Check for Signature in a deb Package

debdpkgSecuritysignature

In rpm-based systems, we can easily see if there is a signature associated with an rpm file:

rpm -qpi <rpm-file.rpm> | grep -i signature

For .deb files, we can see the package information but it doesn't include the information of whether a signature is associated or not:

dpkg-deb -I uma-18feb-latest.deb

Is there a way in Ubuntu to see the signature without using the following command which actually verifies the signature?

dpkg-sig --verify <deb-file.deb>

Best Answer

dpkg-sig --list <deb-file.deb>

will list any items in the file which look like a signature, without verifying the file. This will list the role of any signature in the file; e.g.

$ dpkg-sig -l vuescan_9.7.50-1_amd64.deb
Processing vuescan_9.7.50-1_amd64.deb...
builder
$ dpkg-sig -l zstd_1.4.8+dfsg-2.1_i386.deb
Processing zstd_1.4.8+dfsg-2.1_i386.deb...
$

The first file has a signature with the “builder” role; the second file isn’t signed.

Note that it’s unusual for individual .deb files to be signed (unlike RPMs). Debian packages’ authenticity relies on the repository’s authenticity; see How is the authenticity of Debian packages guaranteed?

Best Answer

Related Solutions

Debian – How it is possible that dpkg isn’t neccesary for installing deb packages

Centos – How to change from existing DEB files to Centos RPM

Related Question