Re: Is packages build without verifying the source package signatures?
On Sun, Dec 03, 2017 at 12:38:24PM +0800, Paul Wise wrote:
> On Sat, Dec 2, 2017 at 7:15 PM, Davide Prina wrote:
>
> > If I don't mistake the automatic package build system don't require that the
> > source signature is verified correctly.
>
> To clarify what Adam said; there are two times where source package
> verification can happen during builds. The first is during "Download
> source files with APT", which verifies hashes of the source files
> against the hashes known for those files by apt, the keys for this
> stage are the archive keys. The second is during "Unpack source",
> which runs dpkg-source to extract the source package and (if all
> Debian package uploader keys are installed) verifies the signature of
> the source package matches a known developer key.
There might even be a 3rd signature, the upstream signature, but
it doesn't cover the whole source. We probably don't have tools to
make it easy to check, but the files needed to do it can be in the
archive.
So the 3 signatures are, in order they are created:
- The upstream developer
- The Debian developer or maintainer
- The Debian archive key
When downloading the source package you start with the 3rd
signature, for which the keys are the debian-archive-keyring,
which should be installed, apt uses those keys, and so it should
check that signature by default.
For the 2nd signature, the keys are in the debian-keyring package.
dpkg-source will use those keys when that package is installed.
For the 1st signaure, if upstream provides them and the maintainer
adds them, the keys are in the source package itself. We only seem
to have 454 source package doing this currently, which is at least
a big improvement over last year.
Kurt
Reply to: