I have been refreshing my knowledge on
dpkg-sig make the package non-deterministic since they embed the signatures into the package. (And most of package.debian.org packages don’t
dpkg-sig ieither.) So not useful in context of Whonix.
debsign doesn’t bring more security in context of Whonix either. It’s useful to secure the communication between package maintainers and (Debian) build servers. Since Whonix uses no build servers, using
debsign would only silence a
Whonix already provides end-to-end package integrity by signing apt repository metadata.
Debian does not end-to-end verify packages from maintainer package signature to dpkg installation on user’s systemd yet. ( https://wiki.debian.org/UntrustedDebs#End-to-end_signatures_with_TOFU )