EnglishFrenchSpanish

OnWorks favicon

dpkg-sig - Online in the Cloud

Run dpkg-sig in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command dpkg-sig that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


dpkg-sig - Debian package archive (.deb) signature generation and verification tool

SYNOPSIS


dpkg-sig [options] --sign role [archive|changes]+

dpkg-sig [options] --verify [archive]+

dpkg-sig [options] --verify-role role [archive]+

dpkg-sig [options] --verify-exact member [archive]+

dpkg-sig [options] --list [archive]+

dpkg-sig [options] --get-hashes role [archive|changes]+

dpkg-sig [options] --sign-hashes [hashes-archive]+

dpkg-sig [options] --write-signature [hashes-archive]+

DESCRIPTION


dpkg-sig creates and verifies signatures on Debian archives (.deb-files).

Use higher-level tools to install and remove packages from your system, and to verify a
signature as acceptable for your system.

A usage example can be found at the end of this man page.

ACTION OPTIONS


--sign, -s role
Signs a standard-conforming Debian archive. role gives the name of the signature
(usually 'builder' for the builder of the .deb). The signature is made using your
default key, unless specified via any explicit or implicit option (see below).

If one or more .changes-files are given, the md5sums inside the .changes file(s) are
also updated.

If a .changes file was gpg-signed, the signature is removed when updating the md5sums.

--verify, -c; --verify-role; --verify-exact
Verifies a signature on the given archive file. --verify and -c just check all
signatures; --verify-role verifies all signatures with a given role, and
--verify-exact wants the exact name of the archive member (without the leading _gpg).
However, both commands also accept perl regular expressions as the name.

All verify variants output (in turn for each signature) either a line consisting of
GOODSIG, role, gpg-fingerprint and signature time (in seconds since 1970-1-1 0:00:00
UTC), or BADSIG.

Starting from version 0.12, dpkg-sig returns 2 if a bad signature was found when
trying to verify. If an unknown key was used to sign a .deb, dpkg-sig returns 3.

--list, -l, -t
Lists all names inside the deb that look like a signature.

--get-hashes, --sign-hashes, --write-signature
--get-hashes creates an ar(1) archive containing a control file part and files with
the digests of all the .debs specified on the command-line or named in the .changes
file(s) specified on the command-line.

After that, you can transfer this (small) file to another machine, for example an
offline system containing your gpg keys. (Yep, that's paranoid!)

--sign-hashes then signs this file containing the digests (in fact, it replaces the
digests parts with their signatures).

Now transfer the signed file back to the machine where you created the hashes and use
--write-signature to add the signatures from the archive to the deb.

OPTIONS


-m maintainer
Specify the maintainer name to be used for signing.

-e maintainer
Same as -m but takes precedence.

-k keyid
Specify the key ID to be used for signing; overrides any -e or -m option.

--verbose
Get some more details.

--batch=1
Gurantees that the non-verbose output will not change. Use this if you want to parse
the output.

--also-v3-sig
The signature format changed between version 0.10 and 0.11. If you want to verify old
signatures too, try this switch.

--also-v2-sig
The signature format changed between version 0.2 and 0.3. If you want to verify old
signatures too, try this switch.

--cache-passphrase, -p
Caches the gpg-passphrase inside dpkg-sig. This needs the suggested package
"libterm-readkey-perl".

Be warned: Doing this is insecure, dpkg-sig doesn't protect the memory it uses to
store the passphrase.

--sign-changes, -a [ no | auto | yes | full | force_full ]
Tells whether also sign the .changes and .dsc-files. The default is auto, which means
that the .changes-file is re-signed if it was signed before.

The other values are no (don't sign .changes, and remove an existing signature), yes
(always add a signature to .changes), full (always add a signature to .changes, and
also sign the .dsc-file if there was no previous signature; otherwise ask) and
force_full (always add a signature to both the .changes and .dsc files).

--remote-dpkg-sig, -r path
Use this if you want to specify where dpkg-sig can find the dpkg-sig executable on the
remote machine.

This is useful if you're not able/allowed to install dpkg-sig as a .deb. To do that,
copy the script to something like ~/bin/dpkg-sig on the remote system. After that, you
can call your local dpkg-sig with something like the following to use the remote
signing/verifying features:

"dpkg-sig --sign builder -r ~/bin/dpkg-sig
ssh://user@host:~/some-deb_version_arch.changes"

--remote-ssh-port, -o port
Port of the sshd on the remote host. Default value is 22.

MORE OPTIONS


These options should normally not be used, but are here for completeness. Be warned: Use
them only if you really know what you are doing.

--gpgoptions, -g gpg options
Use this to pass arbitrary options to gpg(1) whenever a file is signed. As this can
lead to broken signatures, test your changes carefully.

--passphrase-file, -f passphrase file
Tells gpg to use the passphrase in file to sign.

Be warned: Doing this is insecure, DON'T use this feature. However, in some cases
(e.g. automatic signing on a buildd) this could be useful, and is still better than
using a gpg-key without passphrase. You can gain at least some security by putting
this file on a ramdisk, but it would be better to use gpg-agent(1).

CONFIGURATION VARIABLES


The two configuration files /etc/devscripts.conf and ~/.devscripts are sourced in that
order to set configuration variables. Command line options can be used to override
configuration file settings. Environment variable settings are ignored for this purpose.
The currently recognised variables are:

DEBSIGN_MAINT
This is the -m option.

DEBSIGN_KEYID, DPKGSIG_KEYID
This is the -k option, and DPKGSIG_KEYID has most precedence.

DPKGSIG_SIGN_CHANGES
This is the --sign-changes option. Valid values are no, auto, yes, full and
force_full.

DPKGSIG_CACHE_PASS
This is the --cache-passphrase option. Set this to a true value to enable it.

SIGNATURE FORMAT


The signatures created by dpkg-sig are added in a strict standard-conforming way to the
.deb archive file. The signature itself is made on a file formatted like a Debian control
file. The fields of this file are: Version, specifying a dpkg-sig file version number;
Signer, giving the name of the signer; Date and Role, and finally Files, which gives the
digests of the prior contents of the .deb archive file. Note that this includes any prior
signatures made by dpkg-sig. Thus it is possible to verify any signature by hand with just
ar(1), md5sum(1), sha1sum(1) and gpg(1). Signing a list of digests has the advantage that
it is possible to perform remote signatures without transferring the whole archive file.
This does require one to trust the remote machine, though!

REMOTE SIGNING


dpkg-sig can sign remote files using ssh(1) without transferring the whole file to the
local machine, or the key to the remote machine. Simply specify the file with
"ssh://[user@]machine:/path/to/file", and have dpkg-sig installed on the remote machine.
(See also the --remote-dpkg-sig option above.)

Remote signing supports the usual filename globbing.

Remote signing has been tested, but is at the moment considered a more experimental
feature.

Use dpkg-sig online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

  • 1
    Eclipse Checkstyle Plug-in
    Eclipse Checkstyle Plug-in
    The Eclipse Checkstyle plug-in
    integrates the Checkstyle Java code
    auditor into the Eclipse IDE. The
    plug-in provides real-time feedback to
    the user about viol...
    Download Eclipse Checkstyle Plug-in
  • 2
    AstrOrzPlayer
    AstrOrzPlayer
    AstrOrz Player is a free media player
    software, part based on WMP and VLC. The
    player is in a minimalist style, with
    more than ten theme colors, and can also
    b...
    Download AstrOrzPlayer
  • 3
    movistartv
    movistartv
    Kodi Movistar+ TV es un ADDON para XBMC/
    Kodi que permite disponer de un
    decodificador de los servicios IPTV de
    Movistar integrado en uno de los
    mediacenters ma...
    Download movistartv
  • 4
    Code::Blocks
    Code::Blocks
    Code::Blocks is a free, open-source,
    cross-platform C, C++ and Fortran IDE
    built to meet the most demanding needs
    of its users. It is designed to be very
    extens...
    Download Code::Blocks
  • 5
    Amidst
    Amidst
    Amidst or Advanced Minecraft Interface
    and Data/Structure Tracking is a tool to
    display an overview of a Minecraft
    world, without actually creating it. It
    can ...
    Download Amidst
  • 6
    MSYS2
    MSYS2
    MSYS2 is a collection of tools and
    libraries providing you with an
    easy-to-use environment for building,
    installing and running native Windows
    software. It con...
    Download MSYS2
  • More »

Linux commands

Ad