RFC: Signed packages and translations
after a long night, I have a first draft of my proposal that defines
signed packages and translations added to existing binary packages.
<getting asbestos suit>
GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
Fingerprint: DC26 EB8D 1F35 4F44 2934 7583 DBB6 F98D 9198 3292
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
Signed .deb archives and translations
Step 1: Signed archives
The basic idea is to accompany each member in a .deb file with another file
that contains an OpenPGP signature for this file. This signature file need
not be ascii armored since this would only introduce transmission overhead
and gain nothing. The file name for this file is constructed from the
original filename as follows:
If the original filename is no more than sizeof(ar_name)-2 bytes long, ".s"
is appended to it. If it is longer, the part of the file name before the
first dot or dash is truncated so that the ".s" suffix will fit. If the
first component would disappear, the component after the first dot will be
used and so on.
During the transition period (two releases), dpkg-deb should generate file
names by prepending "_s" rather than appending ".s" when building packages
and accept both names when extracting or verifying. This allows signed
packages to be processed with older versions of dpkg which would exit with
an error if they encountered an unknown archive member (files whose names
start with an underscore are silently ignored).
Name Transition name Final name
control.tar.gz _scontrol.tar.gz control.tar.gz.s
contro-de.tar.gz _scont-de.tar.gz cont-de.tar.gz.s
con-de_AT.tar.gz _sc-de_AT.tar.gz c-de_AT-tar.gz.s
- An end user can verify who built the .deb file.
- Since individual members of the archive are signed, it is possible to
add or remove parts of Debian archives later without invalidating the
entire file. This makes sense when it comes to translated
Debian-specific information, like the package "Description" or debconf
- Once you have a larger number of members in an archive, verifying the
signatures on each of them can be very time-consuming. Thus it is
recommended to have a "trusted" path from which packages can be
installed without checking (see "Transition" below).
- Modify dpkg-deb to verify the signatures of archive members on extract,
unless told otherwise. dpkg-deb should not fail if the signature members
are missing since the packages currently on the Debian FTP servers would
no longer install.
- Add commands to dpkg-deb to verify package members' signatures, remove
all unsigned members from an archive (this is helpful in conjunction
with the "trusted" path) and sign members.
- Default behaviour for dpkg-deb's build command should be not to sign
all package members in order to not break existing package build scripts
- Modify the autobuilders and existing developer scripts ("debsign") so
that they call dpkg-deb to sign the packages additionally to signing the
- (optional) Modify apt to download packages to an "untrusted" directory,
check a package's signatures and then move the package to the regular
apt cache directory. Signature verification can take place while other
packages are still being downloaded in order to minimize the performance
hit introduced by signed packages.
- (after two releases) Modify dpkg-deb so that it creates the names for
signature files by appending ".s" rather than prepending "_s" -- All
older dpkg versions which throw an error should have been phased out by
- (after four releases, optional) Drop support for the transitional member
names in dpkg-deb.
Step 2: Allow addition/removal of members in .deb archives
In order for automatic insertion of translated texts into ready .deb
archives to work, dpkg-deb needs to support adding and removing of members,
together with their signatures.
- Add commands to dpkg-deb to add, remove and extract individual member
files. It may be a good idea to have dpkg-deb arrange the signatures
behind the files they were created for in order to speed up processing.
Step 3: Translations
Translations are added inside special member archives which have their name
derived from control.tar.gz by a) prepending "_t" during the transitional
period and b) appending their locale name to the first component
("control"), separated by a dash. If the resulting name exceeds
sizeof(ar_name) bytes, the first component is shortened accordingly (but
never the locale name):
Locale Transition name Final name
de _tcont-de.tar.gz contro-de.tar.gz
de_AT _tc-de_AT.tar.gz con-de_AT.tar.gz
Note: Since the member names start to get rather meaningless that way, it
might be a good idea to replace the .tar.gz by .tgz (See the transition
The translation archive can contain a "control" and a "templates" file.
These files have much the same format as the corresponding files from the
control.tar.gz file but with the exception that they contain only the
identifiers ("Package: xyz" for "control" and "Template: foo/bar" for
"templates") and the translated "Description-ll_CC:" field. These files are
merged by dpkg-deb when extracting the package.
- You can specify translations for the package description and templates
inside a .deb archive.
- It is possible to add, modify and remove these translations without
- Due to the small size of these files, they will compress badly.
- Modify dpkg-deb to extract the additional files to temporary locations
and merge them into the main "control" and "templates" files afterwards.
- Modify dpkg-deb to split the "control" and "templates" files when
building packages. This allows a maintainer to provide translations in
the package for him/herself.
- Add the necessary hooks into katie so that .deb files can be processed
before copying them into the FTP tree and can be reprocessed later (if
the translation database changes).
- Write a script that generates the localized control archives and adds
them into the .deb file (not replacing existing control archives, so a
maintainer can override translations from the database).
- (after two releases) Make the "final" file names the default in
- (after four releases, optional) Drop support for the transitional file