Vyacheslav, as long as your APT is properly configured, sources downloaded with apt-get source are trusted via the same mechanism used for binary packages.
If you attempt to download modified contents you'll get error messages like this: $ apt-get source dash Reading package lists... Done NOTICE: 'dash' packaging is maintained in the 'Git' version control system at: http://smarden.org/git/dash.git/ Please use: git clone http://smarden.org/git/dash.git/ to retrieve the latest (possibly unreleased) updates to the package. Need to get 299 kB of source archives. Get:1 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (dsc) [1,882 B] Get:2 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (tar) [223 kB] Get:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) [73.8 kB] Err:3 http://mirrors.kernel.org/ubuntu yakkety/main dash 0.5.8-2.3ubuntu1 (diff) Hash Sum mismatch Fetched 299 kB in 0s (10.4 MB/s) E: Failed to fetch http://mirrors.kernel.org/ubuntu/pool/main/d/dash/dash_0.5.8-2.3ubuntu1.diff.gz Hash Sum mismatch E: Failed to fetch some archives. If you want to additionally verify the signature in the .dsc file for whichever developer uploaded the package to the build servers, you can do so: sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT gpg: using RSA key BD7EAA60778FA6F5 gpg: Can't check signature: public key not found sarnold@hunt:/tmp$ gpg --recv-key BD7EAA60778FA6F5 gpg: requesting key BD7EAA60778FA6F5 from hkp server keys.gnupg.net gpg: key BD7EAA60778FA6F5: public key "Matthias Klose <d...@debian.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 24 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 24 signed: 19 trust: 20-, 0q, 0n, 4m, 0f, 0u gpg: next trustdb check due at 2016-12-31 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) sarnold@hunt:/tmp$ gpg --verify dash_0.5.8-2.3ubuntu1.dsc gpg: Signature made Thu 28 Jul 2016 05:24:26 AM PDT gpg: using RSA key BD7EAA60778FA6F5 gpg: Good signature from "Matthias Klose <d...@debian.org>" gpg: aka "Matthias Klose <d...@ubuntu.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D565 71B8 8A8B BAF1 40BF 63D6 BD7E AA60 778F A6F5 sarnold@hunt:/tmp$ Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1649097 Title: any source package signature is not valid Status in apt package in Ubuntu: New Bug description: In short: The GPG key 105BE7F7, with that 'linux' source package is signed, revoked on 08/16/16 (4 months ago!) How to reproduce: $ apt-get source linux-image-$(uname -r) ... Picking 'linux' as source package instead of 'linux-image-4.4.0-53-generic' ... Get:2 http://ru.archive.ubuntu.com/ubuntu xenial-updates/main linux 4.4.0-53.74 (tar) [133 MB] ... gpgv: Signature made Пт 02 дек 2016 18:32:18 MSK using RSA key ID 105BE7F7 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./linux_4.4.0-53.74.dsc ... ### if you add this key: $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 105BE7F7 $ apt-key list ... pub 4096R/105BE7F7 2011-09-06 uid Brad Figg <brad.f...@canonical.com> sub 4096R/F336E4D5 2011-09-06 pub 4096R/105BE7F7 2014-06-16 [revoked: 2016-08-16] uid Brad Figg <brad.f...@canonical.com> ### THE KEY IS REVOKED 4 MONTHS AGO! ### Additional info: $ lsb_release -rd Description: Ubuntu 16.04.1 LTS Release: 16.04 ### My unmodified /etc/apt/sources.list in attachment. ### Note, /etc/apt/sources.list.d/ directory is empty. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1649097/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
