Howdy -- I notice that the test/debs/ source tree in debsig-verify includes files made prior to the 0.5 release, at which time the "debian-binary" file was not expected to be concatenated into the other data to be signed.
Compare: [chaduffy@shiny5l:~/VC/debsig-verify/test/debs]$ gpg --verify <(ar p sigtest2_2.0-1_all.deb _gpgorigin) <(ar p sigtest2_2.0-1_all.deb control.tar.gz data.tar.gz) gpg: Signature made Mon 04 Dec 2000 04:13:50 PM CST gpg: using DSA key 0x7CD73F641E04EC2D gpg: Good signature from "Ben Collins <bcoll...@linux.com>" [unknown] gpg: aka "Ben Collins <bcoll...@debian.org>" [unknown] gpg: aka "Ben Collins <bcoll...@openldap.org>" [unknown] gpg: aka "Ben Collins <b...@visi.net>" [unknown] gpg: aka "Ben Collins <colli...@djj.state.va.us>" [unknown] gpg: aka "Ben Collins (Nada) <bcoll...@debian.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: CA9C 9B60 D31F B7FE B093 CDA1 7CD7 3F64 1E04 EC2D [chaduffy@shiny5l:~/VC/debsig-verify/test/debs]$ gpg --verify <(ar p sigtest2_2.0-1_all.deb _gpgorigin) <(ar p sigtest2_2.0-1_all.deb debian-binary control.tar.gz data.tar.gz) gpg: Signature made Mon 04 Dec 2000 04:13:50 PM CST gpg: using DSA key 0x7CD73F641E04EC2D gpg: BAD signature from "Ben Collins <bcoll...@linux.com>" [unknown] ...whereas with a modern .deb file recently signed by the debsigs tool, the debian-binary file _must_ be concatenated into the other data (reference its source at https://gitlab.com/debsigs/debsigs/-/blob/52cb60820a1d65b87d3818d3e12945f27e88c57d/debsigs#L94 ). It would be frankly less confusing to remove test data that's no longer relevant, though replacing it with a valid test would be better (or including sample data in both formats if there's backwards compatibility logic to be tested, though I see no such logic in the codebase). This came up in the context of having borrowed the test data from debsig-verify to use in a Go reimplementation at https://github.com/paultag/go-debian/blob/master/deb/sigcheck.go to ensure compatibility; it turns out that using this test data ensured that the result would _not_ be compatible with the modern format!
