Provided by: debsig-verify_0.8_amd64 bug


       debsig-verify - Verify signatures for a Debian format package


       debsig-verify [options] <deb>


       This program is part of a security model that verifies the source and validity of a Debian
       format package (commonly refered to as a deb).

       This  program  implements  the  verification  specs  defined  in  the  document,  "Package
       Verification  with  dpkg:  Implementation",  which  is  a  more complete reference for the
       verification procedure.

       The program generally takes one argument, the deb file to be verified. It will then  check
       the origin signature of the deb, find its Public Key ID (long format), and use that as the
       name for a policy subdirectory. If this subdirectory does not exist, then the verification
       fails immediately.

       In  this  subdirectory,  the  program  finds  one  or  more files named with the .pol file
       extension, which signifies an XML format policy definition. This file contains three  main

       Origin Information about the origin of this policy.

              Rules used to decide if this policy is pertinent to this deb's verification.

              Rules that are used to actually verify the deb.

       The  policy files will reference keyrings by a filename. These keyrings will be looked for
       in a subdirectory of the keyring directory. The subdirectory has  the  same  name  as  the
       policy subdirectory (previously determined by the Origin's Public Key ID).

       The  program  will,  after  first parsing the entire file, check the Origin ID against the
       Public Key ID of the origin signature in the deb.  If these match (which they should, else
       something is really wrong), then it will proceed to the Selection rules.

       The  Selection  rules  decide  whether  this policy is suitable for verifying this deb. If
       these rules fail, then the program will proceed to the next policy. If it passes, then the
       program  commits  to  using  this  policy  for verification, and no other policies will be

       The last verification step relies on the Verification rules. These are similar  in  format
       to the Selection rules, but are usually more constrained. If these rules fail, the program
       exits with a non-zero status. If they pass, then it exits with a zero status.


       -q     Causes the program to send no output, other than fatal errors. This is useful  when
              being called from another program, where you rely on the exit value only.

       -v     Causes  the  program to send more output on execution, so as to follow the steps it
              is taking while trying to verify the deb.

       -d     Outputs even more info than the -v option. This is mainly for debugging.

              Outputs the version information for the program. This includes  the  policy  format
              version. This option does not require any other arguments.

              Outputs  a list of the policies that passed the Selection phase of the verification
              process. In other words, those that could potentially verify the deb. The output is
              one  line showing the directory selected by the origin signature, and then a single
              line for any policy files in that directory that pass  the  Selection  rules.  This
              option will NOT verify the deb.

       --use-policy <pol>
              This  option  takes one argument, which is the name of the policy file (as shown by
              the --list-policies option). Note, this is just a file, and not a  full  path.  You
              cannot  specifiy arbitrary policies.  This option is useful if more than one policy
              applies to potentially verifying the deb. The program will then  use  this  policy,
              and only this policy, to try and verify the deb.


              Directory containing the policy (.pol) definitions.

              XML format policy files.

              Directory containing the keyrings that coincide with the policies.

              GPG format keyrings for use by the policies.




       Ben Collins <>