Am 19.09.14 um 06:34 schrieb Paul Wise:
Isn`t there really any way to include the signatures in the header of the .deb files? Why not simply add multiple signature files in the control.tar.gz of a .deb just next to the md5sums which should in deed be a sha256sums (otherwise there is no way to establish a 'chain of trust'). That would not add any non-determinism becauseOn Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:Finally did this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153Please note that you proposal to add signatures to .deb files will break reproducible builds because the hash of the .deb will differ depending on who signed it: https://wiki.debian.org/ReproducibleBuilds I think it would be far better to ship detached signatures in the archive since that allows for reproducible builds and also means there could be more than one signer (say one buildd, one Debian sponsor and one package maintainer).
if it is done right then we can have all the signers in the package!It would be far better than detaching the signatures from the package because the general use case where you need package signatures is the manual download
of packages. Detached signatures are completely useless for such a use case!