Re: Revival of the signed debs discussion
John Goerzen <firstname.lastname@example.org> writes:
> On Mon, Dec 01, 2003 at 03:30:58PM +0100, Thomas Viehmann wrote:
> > However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> > _deb_signature ; md5sum my.deb" gives two different lines, I'd think
> > signing the individual members of the deb, not the deb in itself is
> Please check out the debsigs package. I wrote it when I worked at
> Progeny back in 2001, and Branden Robinson maintains it these days. It
> does exactly that.
I was looking for this but looked for the wrong name. Someone
mentioned it on irc but couldn't give details.
debsigs seems to create a 72 bytes signature + 60 byte overhead for the
ar header (132 byte total). With that little size increase I would
even suggest having 3 signatures: 1. buildd, 2. uploader, 3. dinstall.
Too bad that way we don't include some info about the build
environment. Maybe an _buildinfo file could be added to the ar for
that. But thats another discussion.
PS: Does debsigs just sign the control and data file or all files in
the ar? What if we add some more files at some point (like a