Debian packages signed?
I had recently a discussion regarding Debian package signing and
automaticly downloading & checking packages signatures (i.e. using
debsig-verify)
However, I see now that the default /etc/dpkg/dpkg.conf ships with
"no-debsig" by default and users are not currently (correct me if it does)
checking signatures in any way.
Since developer's signatures cannot be used (they get stripped of after
uploading and using them would require to have the keyring always
uptodate) is there any way we can provide package signing. What does
debsig currently do (if anything)?
In a discussion between some Debian developers, regarding how a package
signing scheme could work in Debian, we came out with the following
(due to the problem of the updated keyring above)
1.- Packages.gz which contains the md5sums of packages is signed
(we already do this, but through the Release file which includes
the md5sums of many files, including Packages.gz but is not
that direct). The signature is one that is permanently on the
keyring and has been for some time, it could be that of a
person in Debian (developer for quite some time, Project Leader, you name
it) or of a group (QA?)
2.- This signed Packages.gz is downloaded by 'apt-get update'
and stored in the HD along with Packages.gz
3.- When a package is going to be installed, it is first downloaded
and generated the md5sum
4.- The Packages.gz.gpg is checked (signature ok) and it extracts from
it the md5sum for the downloaded package (this avoids tampering of files
in the local system)
5.- if we have the same md5sum install otherwise warn and leave in cache
(so the user can install w/o signatures). If the package is not in the
Packages.gz and the user wants signatures warn and do not install either.
Does this scheme seem possible? How far is it from what
debsig-verify intends to do?
(I would appreciate here since this is an issue I would like to
document clearly, including a roadmap in the "Securing Debian Manual")
Regards
Javi
Reply to: