Vyacheslav, as long as your APT is properly configured, sources downloaded with apt-get source are trusted via the same mechanism used for binary packages.
If you attempt to download modified contents you'll get error messages like this: $ apt-get source dash Reading package lists... Done NOTICE: 'dash' packaging is maintained in the 'Git' version control system at: http://smarden.org/git/dash.git/ Please use: git clone http://smarden.org/git/dash.git/ to retrieve the latest (possibly unreleased) updates to the package. Need to get 299 kB of source archives. Get:1 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (dsc) [1,882 B] Get:2 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (tar) [223 kB] Get:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) [73.8 kB] Err:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) Hash Sum mismatch Fetched 299 kB in 0s (10.4 MB/s) E: Failed to fetch http://mirrors.kernel.org/ubuntu/pool/main/d/dash/dash_0.5.8-2.3ubuntu1.diff.gz Hash Sum mismatch E: Failed to fetch some archives. If you want to additionally verify the signature in the .dsc file for whichever developer uploaded the package to the build servers, you can do so: sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT gpg: using RSA key BD7EAA60778FA6F5 gpg: Can't check signature: public key not found sarnold@hunt:/tmp$ gpg --recv-key BD7EAA60778FA6F5 gpg: requesting key BD7EAA60778FA6F5 from hkp server keys.gnupg.net gpg: key BD7EAA60778FA6F5: public key "Matthias Klose <d...@debian.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 24 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 24 signed: 19 trust: 20-, 0q, 0n, 4m, 0f, 0u gpg: next trustdb check due at 2016-12-31 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT gpg: using RSA key BD7EAA60778FA6F5 gpg: Good signature from "Matthias Klose <d...@debian.org>" gpg: aka "Matthias Klose <d...@ubuntu.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D565 71B8 8A8B BAF1 40BF 63D6 BD7E AA60 778F A6F5 sarnold@hunt:/tmp$ Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: any source package signature is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
