Requirements of the tool (dpkg) support for signed packages

To: debian-devel@lists.debian.org
Subject: Requirements of the tool (dpkg) support for signed packages
From: Nicolás Lichtmaier <nick@debian.org>
Date: Sat, 8 Apr 2000 03:46:26 -0300
Message-id: <20000408034626.G2043@debian.org>
In-reply-to: <20000404185957.A12147@azure.humbug.org.au>; from aj@azure.humbug.org.au on Tue, Apr 04, 2000 at 06:59:57PM +1000
References: <20000404185957.A12147@azure.humbug.org.au>

 Which are the requirements for package signing?

 I have some ideas, I hope you find them useful, at least for starting a
discussion...:

  * Generic semantics for package signing with as little hardcoded Debian
    policy as posible.

    Rationale: dpkg is not only used by Debian anymore. dpkg should be a
    generic packaging tool. Besides this would give us greater flexibility. 
    On top of this raw functionality, there would be something that will
    define what a trusted package means. Wether this would be part of dpkg
    or part of apt can be discussed. But it would be nice to have these to
    "levels": as I said, dpkg should be as a generic packaging tool as
    posible.


  * Multiple signatures. Each step in the chain should be able to add a
    signature for the package.

    Rationale: Packages should signed by the maintainer (or the
    auto-builder) and dinstall. Even more: a big site could add one more
    signature in order to "bless" packages (this could be used to implement
    some computer-lab management system, dunno).  The security policy which
    defines what does "trusted" mean would be implemented at the client (by
    a tool or by the user), so the package should provide as much signature
    info as it can.


  * The signature must be included *inside* the deb.

    Rationale: To make make security transparent to the newbie. To prevent
    the distribution of a .deb without the sig.


  * Not only do the package files need to be signed, but also the control
    files.

    Rationale: It's trivial to invent something to sign the data.tar.gz, but
    that would be clearly wrong. The maintainer address, the dependencies
    and the maintainer scripts must be signed too. I would even say that the
    sign tool should sign every component of the ar file, allowing for
    future expansion. If we add more components to the ar they should be
    signed too.  Signature components would have to be excempted of being
    signed.


  * Backward compatibility would be important. Packages in woody should be
    able to be unpacked with a potato dpkg.

    Rationale: People will need to upgrade to woody someday. =)

Reply to:

Follow-Ups:
- Re: Requirements of the tool (dpkg) support for signed packages
  - From: Ben Collins <bcollins@debian.org>
- Re: Requirements of the tool (dpkg) support for signed packages
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

References:
- Packages and Signatures, a summary
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Correction
Next by Date: Re: Bug#61792: marked as done (telnet: Can't type non-ascii chars.)
Previous by thread: Re: Packages and Signatures, a summary
Next by thread: Re: Requirements of the tool (dpkg) support for signed packages
Index(es):
- Date
- Thread