Hello, Prasad Ramamurthy Kadambi schrieb:
Is it OK if I sign package.deb leaving out .dsc and .changes file ?
There is a provision to do that, however that is optional and currently pretty much unsupported (in fact IIRC there is a hook that auto-rejects signed packages these days).
Take a small look at the .dsc and .changes files, then it should become clear to you why these (and only these) are signed.
The method I normally use is to build with dpkg-buildpackage -rfakeroot -us -ucand then, after all lintian/linda tests have run and I'm happy with the package (for example, one should check that the package is not empty, happens even to the best of us, and lintian does not warn about this because there may be valid reasons to do so), then I invoke debsign on the .changes file (if I want to upload the package), or on the .dsc (if I want to publish it, but not upload to Debian). Note that signing the .changes file includes signing the .dsc, as it only makes sense to upload sources that are also signed.
Also Should I sign .orig.tar.gz ?
That happens implicitly by signing the .changes which includes a checksum of the .orig.tar.gz.
Description: OpenPGP digital signature