Re: dpkg-sig: sign binary debian archive files
* Ben Collins (email@example.com) [031227 17:10]:
> On Sat, Dec 27, 2003 at 09:49:33AM +0100, Andreas Barth wrote:
> > we discussed here and elsewhere signatures on binary debian archive
> > files. dpkg-sig is capable of creating and verifying these signatures.
> > It has been uploaded to the archive, but due to the current
> > non-processing of NEW it'll take some time till it is available.
> > The latest development version is always available at
> > deb http://dpkg-sig.turmzimmer.net/dpkg-sig/ ./
> > deb-src http://dpkg-sig.turmzimmer.net/dpkg-sig/ ./
> What's the difference between this and the tools that already existed?
This tools signs binary debian archive files (i.e. *.deb), and not
.changes and .dsc-files. So, there's only one existing tool at the
Changes to debsigs:
- binary deb archive files are still binary deb archive files after
signing (and that means e.g. that the apt-utils won't fail; the
archive site above was created with only tools in woody, except
- "remote signatures" are possible without transfering the whole deb
(but with transfering all important data to the local side where
also the key resides) (from the protocol point of view; not
implemented at the moment)
- Each signature signs everything in the deb, including optional parts
(that might be important in a later deb version).
Looking at the implementation differences, there are more:
- Same parameters for keys as debsign (the tool for signatures on
changes and dsc-files), so maintainers need not to learn new syntax.
- Could also verify signatures
- Written in a less complex way then debsigs.
Before the final decision for a new package, I IRCed with Overfiend
(maintainer of debsigs), and there is of course also a ITP.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C