On 2014-09-24 23:05, Hans-Christoph Steiner wrote: > * the signature files sign the package contents, not the hash of > whole .deb file (i.e. control.tar.gz and data.tar.gz). So preinst and friends would not be signed? Sounds dangerous to me.