I'm curious if there is a filesystem that's unencrypted, making it readable by anyone, but employs a digital signature scheme so as to require that writes be digitally signed.
I suspect the answer is "No because it'd be complicated and probably slower than simply encrypting the drive" but seemed interesting.
Best Answer
The two obvious candidates would be ZFS and Btrfs, but as far as I know, they don't do this. Btrfs currently has no crypto at all (for encryption, you're supposed to use LUKS, which provides encryption and optionally block-level integrity but not global integrity). ZFS has an integrity mode where it uses a tree of cryptographic hashes to ensure that the filesystem remains consistent. If the root hash was signed, that would guarantee the authenticity of the filesystem: an adversary could not inject fake content. That would almost guarantee the integrity of the filesystem: all the adversary could do without the key would be to roll back the filesystem to an earlier version. An alternate way to ensure the integrity of the filesystem would be to store an offline copy of the root hash; I can't find a reference of existing tools to do this.
Verifyfs is a FUSE filesystem which verifies the signature of files individually. As far as I can tell from a quick perusal (I hadn't heard of it before today), it does not sign directories, attempt to prevent rollbacks or verify the consistency of the filesystem, so an adversary can downgrade individual files to earlier versions and can erase files.
Why is encryption so common and integrity verification so uncommon? I think there are several reasons: threats to integrity are somewhat less common than threats to confidentiality, they're are harder to combat, and integrity verification has a higher performance cost.
Encryption protects against a disk getting stolen. It's a threat pretty much everywhere, and once the disk is stolen, there is no other remedy. Integrity verification protects against an adversary who has access to the system while the storage is unmounted (if it's mounted, the integrity verification key is in memory) — an evil maid attack. This is rarely a threat against servers, for which tampering is often detectable, but it is a threat against laptops.
Even if you do manage to protect your disk against an evil maid attack by cryptographic means, your computer is still vulnerable to attacks that target firmware. PC usually have several flash memories which can be rewritten with no cryptographic protection (including the firmware of the disk itself).
Integrity protection is costly because it's a global property. Encryption can be performed sector by sector, so the cost is small unless your CPU is very slow and your disk is very fast. If you authenticate sector by sector, an adversary can still partially compromise the system by reverting some sectors to an earlier value, although this is a more sophisticated attack as it may require access to the system at different times. So complete authenticity verification requires comparing a sector's authentication value with a reference value, whose authenticity and freshness itself needs checking, etc.