From 497d2af76200d40fdb964091c73b9ff9fd7b631e Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 15 Jun 2018 20:53:24 -0300 Subject: Updates source checking instructions --- .devscripts | 1 + .gitignore | 2 +- Makefile | 14 ++++++++++---- checking.md | 50 +++++++++++++++++++++++++++----------------------- 4 files changed, 39 insertions(+), 28 deletions(-) create mode 100644 .devscripts diff --git a/.devscripts b/.devscripts new file mode 100644 index 0000000..d095dac --- /dev/null +++ b/.devscripts @@ -0,0 +1 @@ +DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:~/keyrings/debian-keyring.gpg:~/keyrings/debian-maintainers.gpg" diff --git a/.gitignore b/.gitignore index 3c24c59..929d984 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,4 @@ tmp /www build-area puppet/modules -keyrings +keyring diff --git a/Makefile b/Makefile index 8da8402..458ab42 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,14 @@ web: web_deploy: @rsync -avz --delete --exclude=keyring www/ debian:/var/sites/debian/www/ -keyring: - @rsync -az --progress keyring.debian.org::keyrings/ keyrings/ - @gpg --verify keyrings/sha512sums.txt - publish: web web_deploy + +keyring: + @rsync -az --progress keyring.debian.org::keyrings/ keyring/ + @gpg --verify keyring/sha512sums.txt + @cd keyring > /dev/null && sha512sum -c sha512sums.txt + @cd keyring > /dev/null && chmod 700 keyrings && ln -sf keyrings .gnupg #&& cd .gnupg && ln -sf debian-keyring.gpg trustedkeys.gpg + @cp .devscripts keyring/ + @gpg --no-default-keyring --keyring keyring/keyrings/debian-keyring.gpg --export | HOME=keyring/ gpg --import + @gpg --no-default-keyring --keyring keyring/keyrings/debian-maintainers.gpg --export | HOME=keyring/ gpg --import + @cd keyring/.gnupg && ln -sf pubring.kbx trustedkeys.kbx diff --git a/checking.md b/checking.md index f99fa1d..c30a27d 100644 --- a/checking.md +++ b/checking.md @@ -28,24 +28,24 @@ yet but can reduce a lot of complexity that follows. ### Install manually debian-keyring somewhere If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the -form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: +a way for you to get the keyring directly from https://keyring.debian.org: - gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc + make keyring + +We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring: + + gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --verify *.dsc You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here): DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: - /path/to/debian/keyring/output/keyrings/debian-keyring.gpg" + /path/to/debian/keyring/keyrings/debian-keyring.gpg:/path/to/debian/keyring/keyrings/debian-maintainers.gpg" Or you can use the following alias: - alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' - -This assumes that you initialized the `keyring` submodule and compiled the keyrings: + alias dscverify='dscverify --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --keyring /path/to/debian/keyring/keyrings/debian-maintainers.gpg' - ( cd keyring && make ) - -We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. +### Manually getting the key Another option is to get the specific key: @@ -55,9 +55,13 @@ Either way, you have to have a criteria about how much trust you should give to you just downloaded. The same goes for software you're porting to Debian and that you can't actually check it's signature against `debian-keyring`. -Things get even trickier when you try to use `dpkg-source`. +### Issues with dpkg-source + +Things get even trickier when you try to use `dpkg-source`. See [Debian Bug report logs - #852019 gpgv: unknown +type of key resource 'trustedkeys.kbx'](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852019) +for details. -Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg` +Even if you symlink `keyring/keyrings/debian-keyring.gpg` as `keyring/keyrings/trustedkeys.gpg` and point `GNUPGHOME` to this folder you'll still get a weird behavior: 0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc @@ -95,33 +99,33 @@ you don't really want to fill with keys you actually haven't stablished a proper As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget` and `dpkg-source` with - HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc - HOME=/path/to/debian/keyring/output/ dget + HOME=/path/to/debian/keyring/ dpkg-source -x $package*dsc + HOME=/path/to/debian/keyring/ dget -For this trick to work, you'll need to +For this trick to work, you'll need to run `make keyring` or manually run this: - ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg ) + ( cd /path/to/debian/keyring/ && chmod 700 keyrings && ln -sf keyrings .gnupg && cd .gnupg && ln -sf debian-keyring.gpg trustedkeys.gpg ) -And also set the `/path/to/debian/keyring/output/.devscripts` to the following content: +If you're doing manually, make sure to add into `/path/to/debian/keyring/.devscripts` the following content: DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: - ~/keyrings/debian-keyring.gpg" + ~/keyrings/debian-keyring.gpg:~/keyrings/debian-maintainers.gpg" -Again, you might set two handy aliases: +Again, you might set two handy aliases for your shell: - alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source' - alias dget='HOME=/path/to/debian/keyring/output/ dget' + alias dpkg-source='HOME=/path/to/debian/keyring/keyrings/ dpkg-source' + alias dget='HOME=/path/to/debian/keyring/keyrings/ dget' -As a last touch, import your own key into this keyring: +Optionally, as a last touch, import your own key into this keyring: gpg --armor --export $KEYID | \ - gpg --no-default-keyring --keyring /path/to/debian/keyring/output/.gnupg/trustedkeys.gpg --import + gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/.gnupg/trustedkeys.gpg --import Then you might be happy... for a while :P See also: * `dscverify(1)` manpage. -* [Debian Public Key Server](http://keyring.debian.org/). +* [Debian Public Key Server](http://keyring.debian.org/) and it's [workflow](https://keyring.debian.org/keyring-workflow.html). * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). * [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). -- cgit v1.2.3