Provided by: debsig-verify_0.23_amd64 bug

NAME

       debsig-verify - Verify signatures for a Debian format package

SYNOPSIS

       debsig-verify [option...] deb

DESCRIPTION

       This program is part of a security model that verifies the source and validity of a Debian format package
       (commonly referred to as a deb).

       This program implements the verification specs defined in the document, "Package Verification with  dpkg:
       Implementation", which is a more complete reference for the verification procedure.

       The  program  generally  takes  one  argument, the deb file to be verified. It will then check the origin
       signature of the deb, find its Public Key ID (long format), and  use  that  as  the  name  for  a  policy
       subdirectory. If this subdirectory does not exist, then the verification fails immediately.

       In  this  subdirectory,  the  program  finds  one or more files named with the .pol file extension, which
       signifies an XML format policy definition. This file contains three main parts.

       Origin Information about the origin of this policy.

       Selection
              Rules used to decide if this policy is pertinent to this deb's verification.

       Verification
              Rules that are used to actually verify the deb.

       The policy files will reference keyrings  by  a  filename.  These  keyrings  will  be  looked  for  in  a
       subdirectory  of  the  keyring  directory.  The subdirectory has the same name as the policy subdirectory
       (previously determined by the Origin's Public Key ID).

       The program will, after first parsing the entire file, check the Origin ID against the Public Key  ID  of
       the  origin  signature  in  the deb.  If these match (which they should, else something is really wrong),
       then it will proceed to the Selection rules.

       The Selection rules decide whether this policy is suitable for verifying this deb. If these  rules  fail,
       then  the  program  will proceed to the next policy. If it passes, then the program commits to using this
       policy for verification, and no other policies will be referenced.

       The last verification step relies on the Verification rules. These are similar in format to the Selection
       rules,  but  are usually more constrained. If these rules fail, the program exits with a non-zero status.
       If they pass, then it exits with a zero status.

OPTIONS

       -q, --quiet
              Causes the program to send no output, other than fatal errors. This is useful  when  being  called
              from another program, where you rely on the exit value only.

       -v, --verbose
              Causes  the program to send more output on execution, so as to follow the steps it is taking while
              trying to verify the deb.

       -d, --debug
              Outputs even more info than the -v option. This is mainly for debugging.

       --help Outputs the usage information for the program.

       --version
              Outputs the version information for the program. This includes the  policy  format  version.  This
              option does not require any other arguments.

       --list-policies
              Outputs  a  list  of  the policies that passed the Selection phase of the verification process. In
              other words, those that could potentially verify the deb. The  output  is  one  line  showing  the
              directory  selected  by  the origin signature, and then a single line for any policy files in that
              directory that pass the Selection rules. This option will NOT verify the deb.

       --use-policy policy
              This option takes one  argument,  which  is  the  name  of  the  policy  file  (as  shown  by  the
              --list-policies  option).  Note,  this  is  just  a  file, and not a full path. You cannot specify
              arbitrary policies.  This option is  useful  if  more  than  one  policy  applies  to  potentially
              verifying  the deb. The program will then use this policy, and only this policy, to try and verify
              the deb.

       --policies-dir directory
              Use a different directory when looking up for policies.

       --keyrings-dir directory
              Use a different directory when looking up for keyrings.

       --root directory
              Use a different root directory when looking up for policies and keyrings.

EXIT STATUS

       0      The requested operation completed successfully.

       1      General non-success exit value. This occurs for non-verification operations.

       10     Either no signatures are contained in the deb or no origin signature was found.

       11     An origin signature was found, but it does not have a corresponding subdirectory in  the  policies
              directory.

       12     The  origin  was  found, and is present. However, no policies were found that passed the selection
              phase of the process. Thus, no verification was performed.

       13     The package failed the verification phase of the process. More than likely, this occurs due  to  a
              bad signature, or because not all criteria of the verification block of the policy were passed.

       14     An  internal error occurred. This is an unrecoverable error. Either the deb is corrupt, gpg failed
              abnormally, or some other uncontrollable failure.

ENVIRONMENT

       DEBSIG_GNUPG_PROGRAM
              The name (or pathname) of the GnuPG program to use.

FILES

       /etc/debsig/policies/
              Directory containing the policy (.pol) definitions.

       /etc/debsig/policies/*/*.pol
              XML format policy files.

       /usr/share/debsig/keyrings/
              Directory containing the keyrings that coincide with the policies.

       /usr/share/debsig/keyrings/*/*.gpg
              GnuPG format keyrings for use by the policies.

SEE ALSO

       debsigs(1), gpg(1), deb(5).