9

What is the apt equivalent of rpm -K *.rpm, where -K is defined as verifying the signature of the repository in man rpm and in Maximum RPM?

Example of a situation:

sudo rpm --import https://mirrors.example.com/rpm/RPM-GPG-KEY-release &&
rpm -K example.rpm
Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
tsujp
  • 587
  • 1
  • 6
  • 13
  • 4
    `dpkg` is the equivalent to `rpm` not `apt`. Do have a `.deb` you wish to install but want to verify the integrity of or are you installing something from your repositories? – kemotep Mar 14 '19 at 11:05
  • I don't have a `.deb` only an `rpm`. I could use `alien` to convert it into a `.deb` though. Or rather, I have been but not properly as whenever I've tried to verify the signature (probably incorrectly) i get errors et al. – tsujp Mar 15 '19 at 02:54
  • Well that's part of the problem. You did not mention that you were using `alien`. I do not believe that it can verify signatures, or if it could it alters the contents of the package so the signature would not match between the `deb` and `rpm` anyway. As user Stephen Kitt points out, if the maintainers of the package did not use `debsig-verify` for the `deb` version of your software, the package won't be signed in the first place. Please edit your question to be more specific to the steps you are taking to reach your issues. Thank you. – kemotep Mar 15 '19 at 10:45

1 Answers1

8

The equivalent is debsig-verify, which verifies embedded signatures in .deb packages using locally-stored keys and policies.

Unfortunately this isn’t useful in general because Debian packages are usually not signed individually; in fact, as far as I’m aware, the Debian archives reject individually signed uploads. Debian signs repositories as a whole, rather than individual packages, which means that packages can be verified as they’re downloaded, but not necessarily afterwards. (See How is the authenticity of Debian packages guaranteed? for details of repository authentication.) apt will verify packages before installing them, using its locally-cached information and locally-stored keys, but I don’t think there’s a way to ask it to verify a package as a separate task.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164