So, one of the things I want to do for the new dpkg-source is to actually verify signatures on source packages. I noticed debsigs and debsig-verify, but they appear to only operate on .deb packages.
What I think would be nice is to make debsig-verify a bit more generic, so dpkg-source could use it to verify the signatures on .dsc files too. Also, I do think that we could create a good default policy which would provide a reasonable amount of additional security, and not be too intrusive. Basically, the policy should default to verifying against the Debian keyring, or /etc/dpkg/local-keys.gpg or something. That way someone applying to NM could just drop their key in that file, and tell their sponsor to do the same. So Ben, what do you think about this? Of course, we really need to make apt verify the Release signature too...