Re: Revival of the signed debs discussion

[Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>]

John Goerzen <jgoerzen@complete.org> writes:

> On Mon, Dec 01, 2003 at 03:30:58PM +0100, Thomas Viehmann wrote:
> > However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> > _deb_signature ; md5sum my.deb"  gives two different lines, I'd think
> > signing the individual members of the deb, not the deb in itself is
> 
> Please check out the debsigs package.  I wrote it when I worked at
> Progeny back in 2001, and Branden Robinson maintains it these days.  It
> does exactly that.

I was looking for this but looked for the wrong name. Someone
mentioned it on irc but couldn't give details.

debsigs seems to create a 72 bytes signature + 60 byte overhead for the
ar header (132 byte total). With that little size increase I would
even suggest having 3 signatures: 1. buildd, 2. uploader, 3. dinstall.

Too bad that way we don't include some info about the build
environment. Maybe an _buildinfo file could be added to the ar for
that. But thats another discussion.

MfG
        Goswin

PS: Does debsigs just sign the control and data file or all files in
the ar? What if we add some more files at some point (like a
_buildinfo)?