Re: Official Debian digital 'branding' of debs
> Dear Sirs,
> I have noticed that debian sources are PGP signed by their
> package maintainers but the debian binaries are not signed.
> Since I work in a very security aware environment I would
> like every debian binary to also be PGP signed.
You can check the md5sums against the once from the Packages file. And
the package file should probably be signed somehow to ensure its
correct. Or you can get the original packages file via ssh if you are
Signing all packages automatically during upload is too risky in my
eyes, since then that main key would float around and be hacked too
easily. Signing all packages by the maintainers is not possible for
autobuild deamons and thus not worth at all to demand.
May the Source be with you.