[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

process to include upstream jar sig in Debian-generated jar

I want to run an unusual idea by everyone here as an approach to getting an
outside signature into a packaged Java jar built from source on the Debian
build machines: we want to get http://martus.org packaged and into Debian.
Martus is an app that has high requirements for security, so they have a very
careful build and signing process.  They want to be able to include their jar
signature in the jar that is included in the Debian package.

We figured we could structure the build like this:

1) include the official martus.jar in the source tarball
2) after the Debian build process completes, verify that contents of the
Debian generated
   jar matches the contents of the martus generated jar, except for timestamps
3) if that passes, then set the timestamps in the Debian generated jar to
match the
   timestamps in the martus.jar, then copy the signing material into place in
the Debian
   generated jar

That should then result in a debian-generated jar that has the martus
signature on it.  If Debian Security needed to update the package to fix an
urgent issue, then they could still do so.  The package build process would
only include the upstream signature from martus.jar if it was an exact match.
 The security fixed version would then result in an unsigned jar, which is
standard for jars in Debian.

Is this a workable solution here?


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: