end-to-end signed debs. debsign, debsig and dpkg-sig


I have been refreshing my knowledge on debsign, debsig and dpkg-sig.

debsig and dpkg-sig make the package non-deterministic since they embed the signatures into the package. (And most of package.debian.org packages don’t debsig or dpkg-sig ieither.) So not useful in context of Whonix.

debsign doesn’t bring more security in context of Whonix either. It’s useful to secure the communication between package maintainers and (Debian) build servers. Since Whonix uses no build servers, using debsign would only silence a dpkg-source warning.

Whonix already provides end-to-end package integrity by signing apt repository metadata.

Debian does not end-to-end verify packages from maintainer package signature to dpkg installation on user’s systemd yet. ( https://wiki.debian.org/UntrustedDebs#End-to-end_signatures_with_TOFU )