Signed packages?

Matt Zimmerman mdz at
Mon Sep 20 06:57:59 UTC 2004

On Mon, Sep 20, 2004 at 01:12:46AM -0500, J.B. Nicholson-Owens wrote:

> I was curious about signed packages.  Are crytographically signed DEBs
> possible?
> If so, does Ubuntu use signed packages?  If not, is this something that is
> seen as a good idea for the future or unnecessary?
> Any rationale to help explain how they're unnecessary would be appreciated
> if time allows.

We do not sign individual packages; we sign the Release file.  This is an
index of the entire archive, including md5 checksums of all of the packages.
For the needs of Ubuntu as a distribution, this is more effective than
signing individual packages.

It is also possible to sign debs, but this is not as common.

Currently, this signature is not verified by Ubuntu systems, but the
software has already been written and will be incorporated into the next

 - mdz

More information about the ubuntu-users mailing list