debsign

debsign [option...] [changesfile|buildinfofile|debfile ...]

-h, --help
    Display help and exit

-V, --version
    Output version information and exit

-kkeyid, --keyid=keyid
    Sign using specified GPG keyid

-r, --re-sign
    Overwrite existing signatures

-n, --no-re-sign
    Fail if files already signed

--no-conf, --noconf
    Ignore configuration files

--rootcmd=command
    Prepend command to dpkg-source/dpkg-gencontrol as root

debsign is a utility from the devscripts package used by Debian maintainers to digitally sign binary .deb packages, .changes files, and .buildinfo files with GPG keys.

It verifies package integrity and authenticity before upload to repositories like Debian or Ubuntu. debsign reads the maintainer field from the package to select the default signing key or uses a specified keyid.

Typically invoked after dpkg-buildpackage, it processes files listed in a .changes file or accepts direct paths to .deb, .changes, or .buildinfo files. Signed packages include GPG signatures in their control files, enabling verification by tools like dpkg-sig.

Essential for secure Debian packaging workflows, it prevents tampering and confirms origin. Requires a configured GPG setup with secret keys.

Requires GPG agent and secret key access; fails without matching maintainer key. Does not sign source packages directly (.dsc requires manual gpg --clearsign).

Reads ~/.devscripts for DEBSIGN_KEYID default; honors gpg.conf.

After building: dpkg-buildpackage -b -uc -us then debsign *.changes.

Introduced in devscripts package around 2001; evolved with Debian Policy for mandatory binary package signing since 2012 (version 3.9.4). Enhanced for .buildinfo support in later versions.

dpkg-buildpackage(1), gpg(1), dpkg-sig(1), lintian(1), dput(1)