If I understand right, Ben wants something unique that can be signed for some secrit package signing scheme. Assuming the sig goes in a component after control.tar.gz and data.tar.gz, why can't is just sign a concacentation of their md5sums?
I don't understand how signing a uuid that is just listed in the control file and could be modified by anyone is cryptographically secure. Must be missing something. -- see shy jo
