diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2014-10-28 21:28:58 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2014-10-28 21:28:58 -0200 |
commit | 8423121e9c4d5187f9e6287a48d94a78de7aa70e (patch) | |
tree | 437c257bbde3c649fc755de145de03c2d24efa74 | |
parent | f87be20c8bc060cfaba2b75a2633c90dfcc43c29 (diff) | |
download | debian-8423121e9c4d5187f9e6287a48d94a78de7aa70e.tar.gz debian-8423121e9c4d5187f9e6287a48d94a78de7aa70e.tar.bz2 |
'Checking the source' in a dedicated file
-rw-r--r-- | basics.md | 116 | ||||
-rw-r--r-- | checking.md | 119 |
2 files changed, 120 insertions, 115 deletions
@@ -16,121 +16,7 @@ Using `apt-get`: Checking the source ------------------- -This is the trick part. In theory, you could run just - - dscverify *.dsc - -Which would check if the signature was made for a key included in the `debian-keyring` package. - -In practice, it should always work for sources you download from the **same** Debian version you're running. -But sources you download from newer versions might not work, depending basically if the maintainer's key is -already on the `debian-keyring` you installed. - -### Using a newer debian-keyring package - -You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested -yet but can reduce a lot of complexity that follows. - -### Install manually debian-keyring somewhere - -If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the -form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: - - gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc - -You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here): - - DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: - /path/to/debian/keyring/output/keyrings/debian-keyring.gpg" - -Or you can use the following alias: - - alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' - -This assumes that you initialized the `keyring` submodule and compiled the keyrings: - - ( cd keyring && make ) - -We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. - -Another option is to get the specific key: - - gpg --recv-keys 12345678 - -Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey -you just downloaded. The same goes for software you're porting to Debian and that you can't actually check -it's signature against `debian-keyring`. - -Things get even trickier when you try to use `dpkg-source`. - -Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg` -and point `GNUPGHOME` to this folder you'll still get a weird behavior: - - 0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc - dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 1827 100 1827 0 0 2626 0 --:--:-- --:--:-- --:--:-- 4911 - dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 26055 100 26055 0 0 20738 0 0:00:01 0:00:01 --:--:-- 27455 - dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - 100 2892 100 2892 0 0 4183 0 --:--:-- --:--:-- --:--:-- 8078 - ruby-childprocess_0.5.2-1.dsc: - Good signature found - validating ruby-childprocess_0.5.2.orig.tar.gz - validating ruby-childprocess_0.5.2-1.debian.tar.xz - All files validated successfully. - gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A - gpgv: Impossível verificar assinatura: chave pública não encontrada - dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc - dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2 - dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz - dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz - 0 $ - -What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on -the one available in the `debian-keyring` package. - -Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which -you don't really want to fill with keys you actually haven't stablished a proper trust relationship. - -As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget` -and `dpkg-source` with - - HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc - HOME=/path/to/debian/keyring/output/ dget <remote-dsc> - -For this trick to work, you'll need to - - ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg ) - -And also set the `/path/to/debian/keyring/output/.devscripts` to the following content: - - DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: - ~/keyrings/debian-keyring.gpg" - -Again, you might set two handy aliases: - - alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source' - alias dget='HOME=/path/to/debian/keyring/output/ dget' - -As a last touch, import your own key into this keyring: - - gpg --armor --export $KEYID | \ - gpg --no-default-keyring --keyring /path/to/debian/keyring/output/.gnupg/trustedkeys.gpg --import - -Then you might be happy... for a while :P - -See also: - -* `dscverify(1)` manpage. -* [Debian Public Key Server](http://keyring.debian.org/). -* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). -* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). +See `checking.md`. Extracting the source --------------------- diff --git a/checking.md b/checking.md new file mode 100644 index 0000000..f0a71a8 --- /dev/null +++ b/checking.md @@ -0,0 +1,119 @@ +Checking the source +=================== + +This is the trick part. In theory, you could run just + + dscverify *.dsc + +Which would check if the signature was made for a key included in the `debian-keyring` package. + +In practice, it should always work for sources you download from the **same** Debian version you're running. +But sources you download from newer versions might not work, depending basically if the maintainer's key is +already on the `debian-keyring` you installed. + +### Using a newer debian-keyring package + +You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested +yet but can reduce a lot of complexity that follows. + +### Install manually debian-keyring somewhere + +If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the +form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: + + gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc + +You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here): + + DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: + /path/to/debian/keyring/output/keyrings/debian-keyring.gpg" + +Or you can use the following alias: + + alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' + +This assumes that you initialized the `keyring` submodule and compiled the keyrings: + + ( cd keyring && make ) + +We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. + +Another option is to get the specific key: + + gpg --recv-keys 12345678 + +Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey +you just downloaded. The same goes for software you're porting to Debian and that you can't actually check +it's signature against `debian-keyring`. + +Things get even trickier when you try to use `dpkg-source`. + +Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg` +and point `GNUPGHOME` to this folder you'll still get a weird behavior: + + 0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc + dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 1827 100 1827 0 0 2626 0 --:--:-- --:--:-- --:--:-- 4911 + dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 26055 100 26055 0 0 20738 0 0:00:01 0:00:01 --:--:-- 27455 + dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 2892 100 2892 0 0 4183 0 --:--:-- --:--:-- --:--:-- 8078 + ruby-childprocess_0.5.2-1.dsc: + Good signature found + validating ruby-childprocess_0.5.2.orig.tar.gz + validating ruby-childprocess_0.5.2-1.debian.tar.xz + All files validated successfully. + gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A + gpgv: Impossível verificar assinatura: chave pública não encontrada + dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc + dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2 + dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz + dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz + 0 $ + +What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on +the one available in the `debian-keyring` package. + +Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which +you don't really want to fill with keys you actually haven't stablished a proper trust relationship. + +As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget` +and `dpkg-source` with + + HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc + HOME=/path/to/debian/keyring/output/ dget <remote-dsc> + +For this trick to work, you'll need to + + ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg ) + +And also set the `/path/to/debian/keyring/output/.devscripts` to the following content: + + DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: + ~/keyrings/debian-keyring.gpg" + +Again, you might set two handy aliases: + + alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source' + alias dget='HOME=/path/to/debian/keyring/output/ dget' + +As a last touch, import your own key into this keyring: + + gpg --armor --export $KEYID | \ + gpg --no-default-keyring --keyring /path/to/debian/keyring/output/.gnupg/trustedkeys.gpg --import + +Then you might be happy... for a while :P + +See also: + +* `dscverify(1)` manpage. +* [Debian Public Key Server](http://keyring.debian.org/). +* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). +* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). + |