Signing binary packages
Hello
[please cc me]
I've played a bit with gpg, ar and dpkg, and this seems to be
a good way to sign binary packages. I can't code C else I'd made
a patch to dpkg-deb. I've tested this with gpg as crypto-tool and
xfree86-common as guinea-pig.
------- dpkg-sign
#!/bin/bash
# Signing and verifying of binary debian packages.
#
# According to deb(5), members of the ar-arcive after data.tar.gz
# must be ignored if a tool doesn't know how to handle them, so adding
# a signature there shoud be no problem.
GPG_SIGN="gpg -b"
GPG_VRFY="gpg --verify"
action=$1; shift
case $action in
--sign|-s)
for archive in $@
do
# ar seems to have the urge to change the tags _in_ the
# package, so let it mess around before gpg (no, 'S' doesn't help
# ether). It's a cluge, I know.
ar s $archive
$GPG_SIGN $archive || continue
mv -f $archive.sig signature
ar q $archive signature
rm -f signature
echo $archive has been signed.
done
;;
--verify|-v)
for archive in $@
do
ar x $archive signature
cp -f $archive $archive.tmp
ar d $archive.tmp signature
$GPG_VRFY signature $archive.tmp || invalid_signature=found
rm -f $archive.tmp signature
[ "$invalid_signature" = "found" ] && exit 1
done
;;
*)
echo "$0: Signing and verifying debian binary packages"
echo "Invocation: $0 (-s|-v|-h|--sign|--verify|--help) {<archive>}"
echo "-s --sign Sign all <archive>"
echo "-v --verify Verify the signatures of <archive>"
echo "-h --help Display this message"
;;
esac
------- dpkg-sign
I'd like to see such a thing in debian, if only to be able know
for shure that the archives didn't get messed up by
transmission/on the server.
PS: Any ideas how people could get a reliable chain of trust to
every debian developer easily?
--
Hardware, n.:
The parts of a computer system that can be kicked.
Reply to: