There's a package in experimental/ called 'dpkgcert' that does most of what you're looking for. It'd need a bit of hacking (at the moment, it only reports incorrect ownerships, but doesn't fix them), and you'd have to re-build the certificate database (unless Jim Pick or someone else is still keeping it up-to-date), but it should be most of the way to what you're looking for.