Antwort auf: Benötige Möglichkeiten zur Überprüfung von trezor-bridge-Paketen für Linux (.deb, .rpm)
Sig checks are part of the DPKG spec. It’s rather convoluted, but if you can find / install the proper dpkg utils you can check them. If you open the DEP in an ANSI ascii text editor you will see the metadata.
The first 60 bytes of the file are ascii, and the last 1300 bytes are ascii encoded signature data. This is all in the DPKG spec. The archive format is `AR` (see `binutils`) and you can use `ar` to [extract the deb directly](https://www.cyberciti.biz/faq/how-to-extract-a-deb-file-without-opening-it-on-debian-or-ubuntu-linux/).
The `ar` util will extract a file called `data.tar.gz`. The metadata mentioned in the first paragraph has the MD5 and SHA1 hash of the file. The metadata with the hashes is a GPG signed message with key `86E6792FC27BFD478860C11091F3B339B9A02A3D`
So the full process, assuming you want to use none of the DPKG utils would be:
1. Import and consider trusting key `91F3B339B9A02A3D`
2. Download DEP file
3. Verify DEP (`gpg –verify trezor-bridge_2.0.27_amd64.dep`)
4. View the hashes (`tail -n 29 trezor-bridge_2.0.27_amd64.deb`)
5. Extract the files (`ar x trezor-bridge_2.0.27_amd64.deb`)
6. Hash the files (`shasum data.tar.gz`)
Convoluted, but that is the DPKG spec.