Howdy --
I notice that the test/debs/ source tree in debsig-verify includes files made prior to the 0.5 release, at which time the "debian-binary" file was not expected to be concatenated into the other data to be signed.
Compare:
[chaduffy@shiny5l:~/VC/debsig-verify/test/debs]$ gpg --verify <(ar p sigtest2_2.0-1_all.deb _gpgorigin) <(ar p sigtest2_2.0-1_all.deb control.tar.gz data.tar.gz)
gpg: Signature made Mon 04 Dec 2000 04:13:50 PM CST
gpg: using DSA key 0x7CD73F641E04EC2D
gpg: Good signature from "Ben Collins <
bcollins@linux.com>" [unknown]
gpg: aka "Ben Collins <
bcollins@debian.org>" [unknown]
gpg: aka "Ben Collins <
bcollins@openldap.org>" [unknown]
gpg: aka "Ben Collins <
bmc@visi.net>" [unknown]
gpg: aka "Ben Collins <
collinbm@djj.state.va.us>" [unknown]
gpg: aka "Ben Collins (Nada) <
bcollins@debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CA9C 9B60 D31F B7FE B093 CDA1 7CD7 3F64 1E04 EC2D
[chaduffy@shiny5l:~/VC/debsig-verify/test/debs]$ gpg --verify <(ar p sigtest2_2.0-1_all.deb _gpgorigin) <(ar p sigtest2_2.0-1_all.deb debian-binary control.tar.gz data.tar.gz)
gpg: Signature made Mon 04 Dec 2000 04:13:50 PM CST
gpg: using DSA key 0x7CD73F641E04EC2D
gpg: BAD signature from "Ben Collins <
bcollins@linux.com>" [unknown]
It would be frankly less confusing to remove test data that's no longer relevant, though replacing it with a valid test would be better (or including sample data in both formats if there's backwards compatibility logic to be tested, though I see no such logic in the codebase).