Verifying manually is subject to the same constraints as verifying the unpacked archive, except for the existence of the checkdigest script and file list file catalog/dfiles/files. The steps below that check the payload message digests are typically the checks the checkdigest script would perform.
The first step is to unpack.
rm -fr somepackage-1.0
tar zxpf somepackage-1.0.tar.gz
The next step is try to re-create the signed byte stream and verify with gpg like this:
tar cf - --format=ustar -b1 --numeric --owner=root --group=root \
--exclude=catalog/dfiles/signature \
somepackage-1.0/catalog |
gpg --verify somepackage-1.0/catalog/dfiles/signature -
Experimenting with the --format, --numeric, --owner, and --group options may be required
to get a authentic byte stream. These options depend on how the distribution was created, specifically, the
swign --format option and the PSF file_permissions directive. This is why a consistent
file permissions policy and tar archive format are important.
Next, try to re-create the payload byte streams like this:
tar cf - --format=ustar -b1 --numeric --owner=root --group=root \
--exclude=somepackage-1.0/catalog \
--exclude=somepackage-1.0/catalog/\* somepackage-1.0 | md5sum
Then compare this md5 to the contents of somepackage-1.0/catalog/dfiles/md5sum. Do the same thing for the sha1 digest. If the package contains a symbolic link then you will not be able to re-create these digests because the modification time cannot be preserved for this file type. This may be a good reason source packages not contain symbolic links.