From 6b45760cac4a0f25152aa87e6cc667a25a1a476b Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 19 Sep 2014 21:49:14 -0300 Subject: Checking sources: dscverify and debian-keyring --- basics.md | 43 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) (limited to 'basics.md') diff --git a/basics.md b/basics.md index 166b31e..dd43c1b 100644 --- a/basics.md +++ b/basics.md @@ -16,21 +16,52 @@ Using `apt-get`: Checking the source ------------------- -Get the key if needed +This is the trick part. In theory, you could run just - gpg --recv-keys 12345678 + dscverify *.dsc -Checking the source +Which would check if the signature was made for a key included in the `debian-keyring` package. - dscverify *.dsc +In practice, it should always work for sources you download from the **same** Debian version you're running. +But sources you download from newer versions might not work, depending basically if the maintainer's key is +already on the `debian-keyring` you installed. -Extracting: +If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the +form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: - dpkg-source -x *.dsc + gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc + +Or you can use the following alias: + + dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' + +This assumes that you initialized the `keyring` submodule and compiled the keyrings: + + ( cd keyring && make ) + +We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. + +Another option is to get the specific key: + + gpg --recv-keys 12345678 + +Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey +you just downloaded. The same goes for software you're porting to Debian and that you can't actually check +it's signature against `debian-keyring`. See also: +* `dscverify(1)` manpage. +* [Debian Public Key Server](http://keyring.debian.org/). * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). +* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). + +Extracting the source +--------------------- + +If needed, do this after your successfully verified the sources: + + dpkg-source -x *.dsc Getting dependencies -------------------- -- cgit v1.2.3