Re: [RFC PATCH 0/3] Including file signatures in .deb packages]
I think perhaps you might have meant to send this to the debhelper
maintainers? Otherwise here's some comments.
On Fri, 2014-08-08 at 12:57:38 -0400, Mimi Zohar wrote:
> We're looking to include file signatures in the different package
> formats (eg.rpm, deb) and install them as 'security.ima' extended
> attributes(xattrs). These signatures could then be used to enforce
> local file integrity and included in the IMA measurement list to
> provide file provenance.
I've pending to go back to the discussion about adding signatures to
the .deb files (bug #340306), hopefully before the freeze. Those
signatures should probably be stored (if at all) in the dpkg database,
as there's no guarantee the filesystem would support xattr, and this
will be done automatically as long as this stuff is shipped in a
file in the .deb control area. Also if an attacker could modify the
file they might as well be able to modify the xattrs, so I'm not sure
this adds any security. Integrity sure, but we've got md5sums already
which should be fine for that, and the «dpkg --verify» command now.
> The existing md5sums file contains the file hash and name for each file
> included in the package. This makes it the most logical place for
> storing the file signatures, other than the hash being md5. For now,
> this patch set assumes the existence of an equivalent sha256sums file.
> (For convenience, I've duplicated the dh_md5sums helper naming it
If such a new command is desirable, I'd go instead for something like
dh_checksums or similar so that it does not need to change every time
a different algo is added or switched to.