debsign

debsign [options] package.deb | package.changes

-k <keyid>
    Specifies the GPG key ID to use for signing. Overrides the DEBSIGN_KEYID environment variable.

-r
    Also signs the .changes file generated by dpkg-buildpackage in addition to the .deb file.

-e
    Signs only the .changes file, without signing the .deb file itself.

-p <prog>
    Specifies the GPG signing program to use (e.g., gpg2). Defaults to gpg.

-m <maintainer>
    Overrides the maintainer name in the .changes file for the signature.

-a <architecture>
    Overrides the architecture name in the .changes file.

-S
    Signs only the source package, specifically the .dsc and associated files via the .changes file.

-sa
    Signs the source package and prepares it for upload. Often implies a full source package build context.

-v
    Enables verbose output, showing more details about the signing process.

--no-conf
    Prevents debsign from reading configuration files like devscripts.conf or ~/.devscripts.

debsign is a utility from the devscripts package used to digitally sign Debian binary (.deb) and source (.changes) packages using GnuPG (GPG). It ensures the authenticity and integrity of packages by embedding a cryptographic signature within the package's control information or associated .changes file. This signature can later be verified by tools like dpkg --verify or by inspecting the .changes file, providing a layer of trust for package users and maintainers.

The command automates the often complex process of extracting relevant control files, signing them with the specified GPG key, and then re-inserting them into the .deb archive, or directly signing the .changes file. It is a crucial step for Debian developers and maintainers before uploading packages to official repositories, ensuring that distributed packages are untampered and originate from a trusted source.

debsign requires gpg (or gpg2) to be installed and configured with the signing key. When signing a .deb, it modifies the package's internal control structure by inserting a _gpgorigin pseudo-control file containing the signature; this file is checked by dpkg --verify. For proper package integrity, debsign should ideally be used on packages just before distribution, or as part of an automated build system that ensures the package hasn't been tampered with prior to signing.

debsign respects several configuration files from the devscripts package, including ~/.devscripts and /etc/devscripts.conf. These files can be used to set default options, such as the GPG key ID (DEBSIGN_KEYID), allowing for consistent signing practices without repeatedly specifying options on the command line.

The DEBSIGN_KEYID environment variable can be used to specify the GPG key ID for signing. This variable takes precedence over values found in configuration files but can be overridden by the -k command-line option.

debsign is a long-standing component of the devscripts package, a collection of utilities essential for Debian package creation and maintenance. It has been a standard tool for signing packages within the Debian ecosystem, evolving alongside dpkg and gpg to ensure secure and verifiable package distribution. Its primary role is to simplify the often complex process of applying GPG signatures to .deb files and their corresponding .changes files, a crucial step for official Debian package uploads and maintaining trust in the distribution chain.

dpkg-deb(1), dpkg-buildpackage(1), dpkg-source(1), gpg(1), debuild(1)