The suggested command to verify the download from https://docs.checkmk.com/latest/en/install_packages_debian.html…
gpg --verify /tmp/check-mk-raw-2.4.0p26_0.jammy_amd64.deb
… does not verify the package’s contents that get actually installed.
Instead, it verifies only a very tiny text document attached to the .deb file…
tg@b1v2:~ $ gpg1 --output /tmp/o check-mk-raw-2.4.0p24_0.bookworm_amd64.deb
gpg: Signature made Mon Mar 16 10:56:07 2026 CET using RSA key ID C4503261
gpg: Good signature from "Check_MK Software Release Signing Key (2018) <feedback@check-mk.org>"
gpg: aka "Check_MK Software Daily Build Signing Key (2018) <feedback@check-mk.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1E7 1065 75B7 23F0 0611 C612 434D AC48 C450 3261
tg@b1v2:~ $ cat /tmp/o
Version: 4
Signer: 434DAC48C4503261
Date: Mon Mar 16 09:56:07 2026
Role: builder
Files:
3cf918272ffa5de195752d73f3da3e5e 7959c969e092f2a5a8604e2287807ac5b1b384ad 4 debian-binary
741d28c00a848efd34516aa73013ca04 ec6b9b7a3fc773fd3274dfc019acde7991839e10 1153468 control.tar.xz
4f2ba093c3b0733875d975f2b94d695a 000528aca71f73a53c94d8eb2ec48d57a02a82f1 270192568 data.tar.xz
… which contains hashes for the other components in the .deb archive, which must then be verified separately.
There used to be dpkg-sig for the way you use to sign packages, but it’s been removed after bullseye.
It still works, if you install it:
tg@b1v2:~ $ dpkg-sig -c check-mk-raw-2.4.0p24_0.bookworm_amd64.deb
Processing check-mk-raw-2.4.0p24_0.bookworm_amd64.deb...
GOODSIG _gpgbuilder B1E7106575B723F00611C612434DAC48C4503261 1773654967
Judging from the tone of the documentation, your average target audience won’t be able to however.
To fix this, you must change the way you sign packages: generate a separate .deb.sig file containing a detached GnuPG signature instead, and ask users to download that as well and use it to verify the entire .deb file (instead of just a few of its archive member files).
The suggested command to verify the download from https://docs.checkmk.com/latest/en/install_packages_debian.html…
… does not verify the package’s contents that get actually installed.
Instead, it verifies only a very tiny text document attached to the .deb file…
… which contains hashes for the other components in the .deb archive, which must then be verified separately.
There used to be
dpkg-sigfor the way you use to sign packages, but it’s been removed after bullseye.It still works, if you install it:
Judging from the tone of the documentation, your average target audience won’t be able to however.
To fix this, you must change the way you sign packages: generate a separate
.deb.sigfile containing a detached GnuPG signature instead, and ask users to download that as well and use it to verify the entire.debfile (instead of just a few of its archive member files).