Зададох някои въпроси в списъка debian-security и отговорите на Michael Stone може да са интересни на някои. ("he" в моите въпроси е лесно разпознаваем ;-)
He said that after signed Fedora package is installed (by default, only signed packages are installed), you can boot from some CD and then check signatures of each file of each package. Thus, only having key Red Hat's fingerprint, you can check your all installed packages.
What I'm asking is if this is possible with dpkg-sig? If not, I think it's desirable feature.
No it's not. The redhat approach misses the boat on what is probably the
largest part of your installation -- your data & configuration files. Use
something like aide or tripwire to validate your installation.
Another thing he doesn't like is that check is based on signed MD5 hash of content instead of based on signed content. Is it true that signed MD5 is weaker than signed content?