Re: Revival of the signed debs discussion

To: Thomas Viehmann <tv@beamnet.de>
Cc: Debian Devel <debian-devel@lists.debian.org>
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 02 Dec 2003 03:47:26 +0100
Message-id: <[🔎] 871xrokkap.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 3FCB50A2.90907@beamnet.de>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 3FCB50A2.90907@beamnet.de>

Thomas Viehmann <tv@beamnet.de> writes:

> Hi.
> 
> Goswin von Brederlow wrote:
> > PS: I favour method C and would esspecially like some feedback on the
> > technical aspect.  Can a "_deb_signature" file be savely added to the
> > end of a deb without breaking existing tools (apt/dpkg/dinstall)?
> 
> I'd favor C, too. (And with be I'd prefer "cat *.changes" over "tar" if
> it's gonna be B...)
> 
> However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> _deb_signature ; md5sum my.deb"  gives two different lines, I'd think
> signing the individual members of the deb, not the deb in itself is
> preferable (or sign a list of md5sum's or whatever). (Even if there is
> some way to restore the old deb, I'd think something like the above
> should be possible.)

I suggest making the signature a rfc822 formated file including some
aditional information about the build environment:

======================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Origin: Debian
Build-Environment: unstable (Thu, 19 Nov 2003 17:47:49 UTC)
Date: Thu, 20 Nov 2003 20:47:49 UTC
Build-Method: buildd
Signer: m68k wouter-mrvn buildd
Trust: automatic
SHA1:
 75be134193f3a940ee5d5af250679e047d9a7d63                4 debian-binary
 711959f47ea9a0c5e6edf59586b31f9041d2ee9a            22683 control.tar.gz
 e43c8ff612f84a3075741d8bdaa55ce1e5577ea2          1354349 data.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/w2CxH8SBz+0NfPoRAmEPAJ93YiamjMGYwSRrgvNWZzm8wqjQzACeJcvc
f2q/MVNwPFxzu7GQCS0+KEE=
=ZjFs
-----END PGP SIGNATURE-----
======================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Signer: m68k wouter-mrvn admin
Trust: manual
SHA1:
 75be134193f3a940ee5d5af250679e047d9a7d63                4 debian-binary
 711959f47ea9a0c5e6edf59586b31f9041d2ee9a            22683 control.tar.gz
 e43c8ff612f84a3075741d8bdaa55ce1e5577ea2          1354349 data.tar.gz
 713e5f4413a8a030e55d1a9b56a71c00edd77ea3              632 _deb_signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/w2CxH8SBz+0NfPoRAmEPAJ93YiamjMGYwSRrgvNWZzm8wqjQzACeJcvc
f2q/MVNwPFxzu7GQCS0+KEE=
=ZjFs
-----END PGP SIGNATURE-----
======================================================================

The entries in _deb_signature should be _all_ files in the ar archive
_before_ the signature. Maintainer uploads would have just the
maintainers signature, buildd uploads would have two signatures, one
automatic from the buildd and one manual from the admin. "Signer",
"Trust" and "SHA1" fields would be mandatory. "Origin",
"Build-Environment", "Date" and "Build-Method" optional.

"Origin" is who build the deb. Default should be the person building and
only official debian debs should have Origin: debian.

"Build-Environment" is the distribution installed to build this package.
Stable uploads would have "stable (3.0R2)" there, all others usually
unstable (date). This allows to track when and how a package was build.

"Date" is the date when the package was build.

"Build-Method" is the software used to build the package. Possible
values could be buildd, pbuilder, sbuild, umlbuild, debuild,
dpkg-buildpackage, dh_builddeb, dpkg-deb.

"Signer" is the role the signer plays. For buildds it would be the
systems name, other values could be maintainer, security team, buildd
admin. This would be purly informational. Just because I claim to sign
something as "security team" doens't mean I should be doing that.  On
the other hand all packages on security.debian.org could be required
to have a "Signer: security team" with a gpg signature of a member of
said team.

"Trust" gives information how save the private key is held. I can think
of automatic and manual as values. Automatic would be for any
signature done without an actual person sitting there signing and
manual for the rest.

> Lets have some experiments:
> For me (i386), slink "dpkg -i" breaks, potato "dpkg -i" (version 1.6.14)
> works with an appended _deb_signature.

That is good to know. Anyone using slink shouldn't upgrade to sarge in
one go, if such a person exists and wants to upgrade. A one step
slink-sarge update probably wouldn't work anyway.

> BTW: This is offtopic, but it seems that potato is neither in debian/
> nor in debian-archive/?

Potato was dropped pending the sarge release getting underway two/three
month ago iirc.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Thomas Viehmann <tv@beamnet.de>

Prev by Date: Re: make-kpkg question
Next by Date: Re: Revival of the signed debs discussion
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread