[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Signing binary packages


[please cc me]

I've played a bit with gpg, ar and dpkg, and this seems to be
a good way to sign binary packages. I can't code C else I'd made
a patch to dpkg-deb. I've tested this with gpg as crypto-tool and
xfree86-common as guinea-pig.

------- dpkg-sign

# Signing and verifying of binary debian packages.
# According to deb(5), members of the ar-arcive after data.tar.gz
# must be ignored if a tool doesn't know how to handle them, so adding
# a signature there shoud be no problem.

GPG_SIGN="gpg -b"
GPG_VRFY="gpg --verify"

action=$1; shift

case $action in
    for archive in $@
        # ar seems to have the urge to change the tags _in_ the 
	# package, so let it mess around before gpg (no, 'S' doesn't help
	# ether). It's a cluge, I know.
        ar s $archive
	$GPG_SIGN $archive || continue
	mv -f $archive.sig signature
	ar q $archive signature
	rm -f signature
	echo $archive has been signed.
    for archive in $@
	ar x $archive signature
	cp -f $archive $archive.tmp
	ar d $archive.tmp signature
	$GPG_VRFY signature $archive.tmp || invalid_signature=found
        rm -f $archive.tmp signature
	[ "$invalid_signature" = "found" ] && exit 1
    echo "$0: Signing and verifying debian binary packages"
    echo "Invocation: $0 (-s|-v|-h|--sign|--verify|--help) {<archive>}"
    echo "-s --sign	Sign all <archive>"
    echo "-v --verify	Verify the signatures of <archive>"
    echo "-h --help	Display this message"
------- dpkg-sign

I'd like to see such a thing in debian, if only to be able know
for shure that the archives didn't get messed up by
transmission/on the server.

PS: Any ideas how people could get a reliable chain of trust to
every debian developer easily?

Hardware, n.:
        The parts of a computer system that can be kicked.

Reply to: