FWIW I asked Maple about this and here's what it said: ***** Yes, on all major Linux distributions, package installation is cryptographically signed and verified by default—but the implementation varies by distribution and package format. ## How Major Distros Handle Signing **Debian/Ubuntu (APT)** - **Repository metadata** is signed with GPG keys. APT verifies the `Release` file signature before trusting any package lists. - **Individual packages** are typically signed by the maintainer's key, though APT primarily trusts the repository metadata rather than verifying every package signature independently by default. - Keys are stored in `/etc/apt/trusted.gpg.d/` or managed via `signed-by` in sources lists. **RHEL/CentOS/Fedora (RPM/DNF/YUM)** - **Packages** are GPG-signed by the packager (the `.rpm` file contains the signature). - **Repository metadata** is also signed. - DNF/YUM verify package signatures before installation using keys in `/etc/pki/rpm-gpg/`. - You can check a package's signature with: `rpm -K package.rpm` **Arch Linux (Pacman)** - **Packages** are signed by Arch Linux developer or Trusted User keys. - Pacman has a web of trust model; the `archlinux-keyring` package distributes trusted keys. - Signatures are stored as separate `.sig` files. **Alpine Linux (APK)** - Uses **RSA signatures** (not GPG). Each package has a corresponding `.rsa.sig` file. - Public keys are stored in `/etc/apk/keys/`. **openSUSE (ZYpp/RPM)** - Similar to Fedora: RPM packages are GPG-signed, and repository metadata is signed. ## Universal Package Formats - **Flatpak**: OSTree commits are signed with GPG; apps are verified against remotes. - **Snap**: Packages are signed; the snapd daemon verifies signatures from the Snap Store. - **AppImage**: Generally **not signed** by default (though some projects embed signatures separately). ## Important Caveats 1. **Manual downloads**: If you manually download a `.deb` or `.rpm` from a website and install it with `dpkg -i` or `rpm -i`, signature verification may be skipped or require manual key import. Using the distro's package manager (APT/DNF) enforces verification. 2. **Disabled verification**: You can disable signature checking (e.g., `apt-get --allow-unauthenticated` or `rpm --nosignature`), but this defeats the security model. 3. **Third-party repositories**: When adding a new repo, you must manually import the GPG key. The security depends on whether you verify the key fingerprint through a trusted channel. 4. **Build-from-source**: Compiling from source code (e.g., `make install`) bypasses the package signing system entirely. ## Verification Commands ```bash # Debian/Ubuntu: Check repository key apt-key list # Fedora/RHEL: Verify a package signature rpm -qi package_name | grep Signature # Arch: Verify package databases pacman-key --list-sigs # Alpine: Check keys ls /etc/apk/keys/ ``` **Bottom line:** Modern Linux distributions treat cryptographic signing as mandatory for their official repositories, protecting against man-in-the-middle attacks and package tampering. However, the security is only as strong as your key management practices and whether you verify keys when adding third-party repositories.