debsign - sign a Debian changes and dsc file pair using GPG/PGP
debsign [options] [changes-file|dsc-file|commands-file ...]
debsign mimics the signing aspects (and bugs) of dpkg-buildpackage(1).
It takes either an unsigned .dsc file or an unsigned .changes file
(along with the associated unsigned .dsc file found by replacing the
architecture name and .changes by .dsc if it appears in the .changes
file), and signs them using the GNU Privacy Guard or PGP. It is
careful to calculate the size and checksums of the newly signed .dsc
file and replace the original values in the .changes file.
If a .changes, .dsc or .commands file is specified, it is signed,
otherwise, debian/changelog is parsed to determine the name of the
.changes file to look for in the parent directory.
If a .commands file is specified it is first validated (see the details
at ftp://ftp.upload.debian.org/pub/UploadQueue/README), and the name
specified in the Uploader field is used for signing.
This utility is useful if a developer must build a package on one
machine where it is unsafe to sign it; they need then only transfer the
small .dsc and .changes files to a safe machine and then use the
debsign program to sign them before transferring them back. This
process can be automated in two ways. If the files to be signed live
on the remote machine, the -r option may be used to copy them to the
local machine and back again after signing. If the files live on the
local machine, then they may be transferred to the remote machine for
signing using debrsign(1).
This program can take default settings from the devscripts
configuration files, as described below.
The .changes and .dsc files live on the specified remote host.
In this case, a .changes file must be explicitly named, with an
absolute directory or one relative to the remote home directory.
scp will be used for the copying. The
[username@]remotehost:changes syntax is permitted as an
alternative. Wildcards (* etc.) are allowed.
progname is one of pgp or gpg, and specifies which signing
program is to be called. The default is gpg if
~/.gnupg/secring.gpg exists and pgp otherwise.
Specify the maintainer name to be used for signing. (See dpkg-
buildpackage(1) for more information about the differences
between -m, -e and -k when building packages; debsign makes no
use of these distinctions except with respect to the precedence
of the various options. These multiple options are provided so
that the program will behave as expected when called by
Same as -m but takes precedence over it.
Specify the key ID to be used for signing; overrides any -m and
Whether the signing program is to be called with command line
arguments like those of pgp or gpg.
-S Look for a source-only .changes file instead of a binary-build
See dpkg-architecture(1) for a description of these options.
They affect the search for the .changes file. They are provided
to mimic the behaviour of dpkg-buildpackage when determining the
name of the .changes file.
Multiarch changes mode: This signifies that debsign should use
the most recent file with the name pattern
package_version_*+*.changes as the changes file, allowing for
the changes files produced by dpkg-cross.
Recreate signature, respectively use the existing signature, if
the file has been signed already. If neither option is given
and an already signed file is found the user is asked if he or
she likes to use the current signature.
Look for the .changes and .dsc files in directory DIR instead of
the parent of the source directory. This should either be an
absolute path or relative to the top of the source directory.
Do not read any configuration files. This can only be used as
the first option given on the command-line.
Display a help message and exit successfully.
Display version and copyright information and exit successfully.
The two configuration files /etc/devscripts.conf and ~/.devscripts are
sourced in that order to set configuration variables. Command line
options can be used to override configuration file settings.
Environment variable settings are ignored for this purpose. The
currently recognised variables are:
Setting this is equivalent to giving a -p option.
This must be gpg or pgp and is equivalent to using either -sgpg
or -spgp respectively.
This is the -m option.
And this is the -k option.
Always re-sign files even if they are already signed, without
This specifies the directory in which to look for the .changes
and .dsc files, and is either an absolute path or relative to
the top of the source tree. This corresponds to the --debs-dir
command line option. This directive could be used, for example,
if you always use pbuilder or svn-buildpackage to build your
packages. Note that it also affects debrelease(1) in the same
way, hence the strange name of the option.
debrsign(1), dpkg-buildpackage(1), dpkg-architecture(1), debuild(1),
md5sum(1), sha1sum(1), sha256sum(1), gpg(1), pgp(1), scp(1) and
This program was written by Julian Gilbey <firstname.lastname@example.org> and is
copyright under the GPL, version 2 or later.