I want to run an unusual idea by everyone here as an approach to getting an outside signature into a packaged Java jar built from source on the Debian build machines: we want to get http://martus.org packaged and into Debian. Martus is an app that has high requirements for security, so they have a very careful build and signing process. They want to be able to include their jar signature in the jar that is included in the Debian package. We figured we could structure the build like this: 1) include the official martus.jar in the source tarball 2) after the Debian build process completes, verify that contents of the Debian generated jar matches the contents of the martus generated jar, except for timestamps 3) if that passes, then set the timestamps in the Debian generated jar to match the timestamps in the martus.jar, then copy the signing material into place in the Debian generated jar That should then result in a debian-generated jar that has the martus signature on it. If Debian Security needed to update the package to fix an urgent issue, then they could still do so. The package build process would only include the upstream signature from martus.jar if it was an exact match. The security fixed version would then result in an unsigned jar, which is standard for jars in Debian. Is this a workable solution here? .hc
Attachment:
signature.asc
Description: OpenPGP digital signature