[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sums files

On Wed, Mar 03, 2010 at 04:20:36PM -0500, Michael Gilbert wrote:
> On Wed, 03 Mar 2010 21:58:11 +0100, Frank Lin PIAT wrote:
> > Signed debs may introduce a fake sense of security (Only apt repository
> > provide security updates). By signing packages, user may assume that a
> > package is safe when it isn't.
> it should actually be possible to do this securely.  dpkg could be
> made to work like apt where it only blindly trusts packages signed
> by keys in /etc/apt/trusted.gpg.  the downfall is that there is nothing
> stopping the user from adding additional (potentially less than
> trustworthy keys), but that isn't really solvable without destroying
> freedom, and it isn't any different from the current state for apt.

Completely agreed. Also, because playing around is always more fun than
just talking, I've attached a script that signs/verifies binary
packages. Dpkg doesn't seem to mind the extra files.

This script signs each file in the package individually, but it could 
also concatenate them all alphabetically and create just one signature.


usage() {
Usage: debsign -s|-v <debfile>
Sign or verify Debian packages

  -s  sign
  -v  verify


sign() {
    echo "signing ${DEB}:${FILE}"
    ar p "${DEB}" "${FILE}" | gpg --detach-sign --output "${SIG}" - && \
    ar r "${DEB}" "${SIG}"

verify() {
    echo "verifying signature of ${DEB}:${FILE}"
    ar p "${DEB}" "${FILE}.sig" > "${SIG}" && \
    ar p "${DEB}" "${FILE}" | gpg --verify "${SIG}" -

[ $# -eq 2 ] || { usage >&2; exit 1; }


case "$1" in
    -s) OP="sign";;
    -v) OP="verify";;
    *)  usage >&2; exit 1;;

[ -f "${DEB}" ] || { printf "%s\n" "${DEB} not found" >&2; exit 1; }

TMPDIR=`mktemp -d --tmpdir debsign.XXXXXXXXXX` 

ar t "${DEB}" | while read FILE; do
    [ "${FILE##*.}" != "sig" ] || continue
    ${OP} || exit 1


rm "${TMPDIR}"/* 2>/dev/null
rmdir "${TMPDIR}" 2>/dev/null

if [ ${RC} -eq 0 ]; then
    echo "OK"
    echo "Failed"

return ${RC}

Reply to: