Signed packages?

Daniel Stone daniel.stone at
Mon Sep 20 06:25:28 UTC 2004

On Mon, Sep 20, 2004 at 01:12:46AM -0500, J.B. Nicholson-Owens wrote:
> First, Ubuntu looks like a fine system.  I'm also glad to read that the 
> focus will be on catering to making things usable by novices.  It's quite a 
> challenge, but it looks like Ubuntu is taking big steps in the right 
> direction.
> I was curious about signed packages.  Are crytographically signed DEBs 
> possible?
> If so, does Ubuntu use signed packages?  If not, is this something that is 
> seen as a good idea for the future or unnecessary?
> Any rationale to help explain how they're unnecessary would be appreciated 
> if time allows.

Right now, the .debs themselves aren't cryptographically signed, but we
do have strong crypto involved.  Every upload to the archive is done as
source-only: for instance, when I upload xresprobe, I don't upload any
binaries, just the source (the autobuilders build everything).  When I
upload the source, there's a .changes file, containing md5sums of
everything I uploaded.  The .changes file has to be signed with my GnuPG

When autobuilder uploads are done, they also contain .changes files,
which are signed in a similar way.  So, while the .debs themselves
aren't signed (or the source files), we have a pretty damn good audit
trail. :)


Daniel Stone                                        <daniel.stone at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <>

More information about the ubuntu-users mailing list