diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2014-09-19 21:49:14 -0300 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2014-09-19 21:49:14 -0300 |
commit | 6b45760cac4a0f25152aa87e6cc667a25a1a476b (patch) | |
tree | 8a805e321a3e57899d269d34add475a1c3487097 /basics.md | |
parent | 4e0224925af6ec615847bfa5fde0cf6da5b7e215 (diff) | |
download | debian-6b45760cac4a0f25152aa87e6cc667a25a1a476b.tar.gz debian-6b45760cac4a0f25152aa87e6cc667a25a1a476b.tar.bz2 |
Checking sources: dscverify and debian-keyring
Diffstat (limited to 'basics.md')
-rw-r--r-- | basics.md | 43 |
1 files changed, 37 insertions, 6 deletions
@@ -16,21 +16,52 @@ Using `apt-get`: Checking the source ------------------- -Get the key if needed +This is the trick part. In theory, you could run just - gpg --recv-keys 12345678 + dscverify *.dsc -Checking the source +Which would check if the signature was made for a key included in the `debian-keyring` package. - dscverify *.dsc +In practice, it should always work for sources you download from the **same** Debian version you're running. +But sources you download from newer versions might not work, depending basically if the maintainer's key is +already on the `debian-keyring` you installed. -Extracting: +If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the +form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: - dpkg-source -x *.dsc + gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc + +Or you can use the following alias: + + dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' + +This assumes that you initialized the `keyring` submodule and compiled the keyrings: + + ( cd keyring && make ) + +We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. + +Another option is to get the specific key: + + gpg --recv-keys 12345678 + +Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey +you just downloaded. The same goes for software you're porting to Debian and that you can't actually check +it's signature against `debian-keyring`. See also: +* `dscverify(1)` manpage. +* [Debian Public Key Server](http://keyring.debian.org/). * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). +* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). + +Extracting the source +--------------------- + +If needed, do this after your successfully verified the sources: + + dpkg-source -x *.dsc Getting dependencies -------------------- |