Is packages build without verifying the source package signatures?
If I don't mistake the automatic package build system don't require that
the source signature is verified correctly.
In here:
https://buildd.debian.org/status/fetch.php?pkg=gnome-shell&arch=amd64&ver=3.26.2-1&stamp=1509919343&raw=0
I have found this:
Unpack source
-------------
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/sbuild-nonexistent/.gnupg/trustedkeys.kbx':
General error
gpgv: Signature made Sun Nov 5 19:11:53 2017 UTC
gpgv: using RSA key 09B3AC2ECB169C904345CC546AE1DF0D608F22DC
gpgv: issuer "biebl@debian.org"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on
./gnome-shell_3.26.2-1.dsc
dpkg-source: info: extracting gnome-shell in /<<PKGBUILDDIR>>
dpkg-source: info: unpacking gnome-shell_3.26.2.orig.tar.xz
dpkg-source: info: unpacking gnome-shell_3.26.2-1.debian.tar.xz
dpkg-source: info: applying 27-nm-libexec-path.patch
dpkg-source: info: applying workaround_crasher_fractional_scaling.patch
So it don't have the public key (?) and so it don't check the package
signature. But the package is build successfully... and signed.
If an attacker change the source and package it with a wrong private
key, it can have his "patch" applied to the signed binary packages?
Ciao
Davide
Reply to: