There appears to be two ways to sign a package.
Sign and verify with dpkg-sig appears to work.
The two approaches are not compatible, i.e. signing with one can not be verified with the other.
gpg --gen-key
Export public key:
gpg --export my_email@someaddress.com >mykey.asc
Get finger print (will list all):
gpg --fingerprint
pub rsa3072 2020-02-26 [SC] [expires: 2022-02-25]
1876 089E B713 1C18 EB28 6BB9 4A4A E957 573F A98C
uid [ultimate] my name <my_email@someaddress.com>
sub rsa3072 2020-02-26 [E] [expires: 2022-02-25]
dpkg-sig --sign origin MY_PACKAGE-0.1.0-Linux.deb
Verify the signing:
dpkg-sig --verify MY_PACKAGE-0.1.0-Linux.deb
Processing MY_PACKAGE-0.1.0-Linux.deb...
GOODSIG _gpgorigin 1876089EB7131C18EB286BB94A4AE957573FA98C 1582793634
This does not verify that the package signing is sealed, it only verifies that the package has been signed and that it has not been modified. You need to check the public key is trusted (see fingerprint above).
I believe that this is broken see:
https://superuser.com/questions/1504081/no-valid-openpgp-data-found-when-trying-to-verify-signature-of-deb-package-with
Sign the package:
debsigs --sign=origin MY_PACKAGE-0.1.0-Linux.deb
Verify the package (dependent on policies):
debsig-verify --list-policies MY_PACKAGE-0.1.0-Linux.deb
debsig-verify MY_PACKAGE-0.1.0-Linux.deb
Copy public key to Debian signing verification location. Note the string in bold.
mkdir /usr/share/debsig/keyrings/4A4AE957573FA98C
gpg --no-default-keyring --keyring \
/usr/share/debsig/keyrings/4A4AE957573FA98C/debsig.gpp \
--import mykey.asc
Create a Debian policy file for key:
mkdir /etc/debsig/policies/4A4AE957573FA98C
cd !$
vi test.pol
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
<Origin Name="test" id="4A4AE957573FA98C" Description="Test package"/>
<Selection>
<Required Type="origin" File="debsig.gpg" id="4A4AE957573FA98C"/>
</Selection>
<Verification MinOptional="0">
<Required Type="origin" File="debsig.gpg" id="4A4AE957573FA98C"/>
</Verification>
</Policy>
- debsigs
- dpkg-sig
Sign and verify with dpkg-sig appears to work.
The two approaches are not compatible, i.e. signing with one can not be verified with the other.
Generate GPG Keys
Generate a PGP key to use.gpg --gen-key
Export public key:
gpg --export my_email@someaddress.com >mykey.asc
Get finger print (will list all):
gpg --fingerprint
pub rsa3072 2020-02-26 [SC] [expires: 2022-02-25]
1876 089E B713 1C18 EB28 6BB9 4A4A E957 573F A98C
uid [ultimate] my name <my_email@someaddress.com>
sub rsa3072 2020-02-26 [E] [expires: 2022-02-25]
dpkg-sig
Sign my package (I only have one key):dpkg-sig --sign origin MY_PACKAGE-0.1.0-Linux.deb
Verify the signing:
dpkg-sig --verify MY_PACKAGE-0.1.0-Linux.deb
Processing MY_PACKAGE-0.1.0-Linux.deb...
GOODSIG _gpgorigin 1876089EB7131C18EB286BB94A4AE957573FA98C 1582793634
This does not verify that the package signing is sealed, it only verifies that the package has been signed and that it has not been modified. You need to check the public key is trusted (see fingerprint above).
debsigs
These are on going notes, i.e. its not working...I believe that this is broken see:
https://superuser.com/questions/1504081/no-valid-openpgp-data-found-when-trying-to-verify-signature-of-deb-package-with
Sign the package:
debsigs --sign=origin MY_PACKAGE-0.1.0-Linux.deb
Verify the package (dependent on policies):
debsig-verify --list-policies MY_PACKAGE-0.1.0-Linux.deb
debsig-verify MY_PACKAGE-0.1.0-Linux.deb
Copy public key to Debian signing verification location. Note the string in bold.
mkdir /usr/share/debsig/keyrings/4A4AE957573FA98C
gpg --no-default-keyring --keyring \
/usr/share/debsig/keyrings/4A4AE957573FA98C/debsig.gpp \
--import mykey.asc
Create a Debian policy file for key:
mkdir /etc/debsig/policies/4A4AE957573FA98C
cd !$
vi test.pol
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
<Origin Name="test" id="4A4AE957573FA98C" Description="Test package"/>
<Selection>
<Required Type="origin" File="debsig.gpg" id="4A4AE957573FA98C"/>
</Selection>
<Verification MinOptional="0">
<Required Type="origin" File="debsig.gpg" id="4A4AE957573FA98C"/>
</Verification>
</Policy>
Comments
Post a Comment