[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig: sign binary debian archive files

* Ben Collins (bcollins@debian.org) [031227 17:10]:
> On Sat, Dec 27, 2003 at 09:49:33AM +0100, Andreas Barth wrote:
> > we discussed here and elsewhere signatures on binary debian archive
> > files. dpkg-sig is capable of creating and verifying these signatures.
> > It has been uploaded to the archive, but due to the current
> > non-processing of NEW it'll take some time till it is available.
> > 
> > The latest development version is always available at
> > deb http://dpkg-sig.turmzimmer.net/dpkg-sig/ ./
> > deb-src http://dpkg-sig.turmzimmer.net/dpkg-sig/ ./

> What's the difference between this and the tools that already existed?

This tools signs binary debian archive files (i.e. *.deb), and not
.changes and .dsc-files. So, there's only one existing tool at the
moment, debsigs.

Changes to debsigs:
- binary deb archive files are still binary deb archive files after
  signing (and that means e.g. that the apt-utils won't fail; the
  archive site above was created with only tools in woody, except
- "remote signatures" are possible without transfering the whole deb
  (but with transfering all important data to the local side where
  also the key resides) (from the protocol point of view; not
  implemented at the moment)
- Each signature signs everything in the deb, including optional parts
  (that might be important in a later deb version).

Looking at the implementation differences, there are more:
- Same parameters for keys as debsign (the tool for signatures on
  changes and dsc-files), so maintainers need not to learn new syntax.
- Could also verify signatures
- Written in a less complex way then debsigs.

Before the final decision for a new package, I IRCed with Overfiend
(maintainer of debsigs), and there is of course also a ITP.

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: