Re: Is packages build without verifying the source package signatures?

[Paul Wise <pabs@debian.org>]

On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:

> If I don't mistake the automatic package build system don't require that the
> source signature is verified correctly.

To clarify what Adam said; there are two times where source package
verification can happen during builds. The first is during "Download
source files with APT", which verifies hashes of the source files
against the hashes known for those files by apt, the keys for this
stage are the archive keys. The second is during "Unpack source",
which runs dpkg-source to extract the source package and (if all
Debian package uploader keys are installed) verifies the signature of
the source package matches a known developer key.

The Debian buildds only do the first verification (due to all Debian
package uploader keys not being installed) but the Debian archive
verifies that all uploads match a known developer key before passing
packages to the buildds. So in practice, both verifications are
happening, but not in the same place.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise