how do you create a "signed" deb package

I want to create a number of deb packages, but I don't know how "signing" packages works. So I was wondering how to create a signed deb package.


Package signing on Ubuntu/Debian systems is rather messy. In theory, signing a deb package makes it possible for the person receiving your package to verify that the package was not modified after you signed it. In reality, signature verification is terribly difficult to setup and is disabled by default. Unless the user does a bunch of setup locally, they won't be verifying the signature when the package is installed.

In order to sign a package, you can use either: debsigs or dpkg-sig. The signatures are not compatible with one another, so you'll need to make sure the user is using the proper tool on the receiving side for verifying signatures.

dpkg-sig is easier to use for both you and the user, but debsigs is the tool with built-in support (which is disabled by default) on Ubuntu and Debian.

I wrote a blog post containing all the technical details of signing and verifying source packages (.dsc files), binary packages (.deb), and APT package repositories themselves here: http://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/


Package signing on Debian/Ubuntu is commonly done via .changes files. When building a package you tend to end up with a .changes file, listing the results of the build (source and/or binary packages) and their checksums, when you sign packages this is normally the file you sign (thus allowing verification of the package integrity by way of its checksum).

The simplest way to sign a .changes file is to use debsign

debsign hello_1.0_amd64.changes

This occurs automatically if you have a primary key in you gnupg keychain, and you run dpkg-buildpackage or debuild without the -us and -uc switches.