From d645d9c8b4c4abe2849c962acd14563430acd099 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 19 Sep 2014 23:41:38 -0300
Subject: More on source verification

---
 basics.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 2 deletions(-)

(limited to 'basics.md')

diff --git a/basics.md b/basics.md
index 3f51dae..4cc6960 100644
--- a/basics.md
+++ b/basics.md
@@ -26,14 +26,22 @@ In practice, it should always work for sources you download from the **same** De
 But sources you download from newer versions might not work, depending basically if the maintainer's key is
 already on the `debian-keyring` you installed.
 
+You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested
+yet but can reduce a lot of complexity that follows.
+
 If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
 form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:
 
     gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc
 
+You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here):
+
+    DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
+                        /path/to/debian/keyring/output/keyrings/debian-keyring.gpg"
+
 Or you can use the following alias:
 
-    dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
+    alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
 
 This assumes that you initialized the `keyring` submodule and compiled the keyrings:
 
@@ -49,6 +57,65 @@ Either way, you have to have a criteria about how much trust you should give to
 you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
 it's signature against `debian-keyring`.
 
+Things get even trickier when you try to use `dpkg-source`.
+
+Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg`
+and point `GNUPGHOME` to this folder you'll still get a weird behavior:
+
+    0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
+    dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
+      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                     Dload  Upload   Total   Spent    Left  Speed
+    100  1827  100  1827    0     0   2626      0 --:--:-- --:--:-- --:--:--  4911
+    dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz
+      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                     Dload  Upload   Total   Spent    Left  Speed
+    100 26055  100 26055    0     0  20738      0  0:00:01  0:00:01 --:--:-- 27455
+    dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz
+      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                     Dload  Upload   Total   Spent    Left  Speed
+    100  2892  100  2892    0     0   4183      0 --:--:-- --:--:-- --:--:--  8078
+    ruby-childprocess_0.5.2-1.dsc:
+          Good signature found
+       validating ruby-childprocess_0.5.2.orig.tar.gz
+       validating ruby-childprocess_0.5.2-1.debian.tar.xz
+    All files validated successfully.
+    gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A
+    gpgv: Impossível verificar assinatura: chave pública não encontrada
+    dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc
+    dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2
+    dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz
+    dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz
+    0 $
+
+What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on
+the one available in the `debian-keyring` package.
+
+Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which
+you don't really want to fill with keys you actually haven't stablished a proper trust relationship.
+
+As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget`
+and `dpkg-source` with
+
+    HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc
+    HOME=/path/to/debian/keyring/output/ dget <remote-dsc>
+
+For this trick to work, you'll need to
+
+    ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg )
+
+And also set the `/path/to/debian/keyring/output/.devscripts` to the following content:
+
+    DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
+                        ~/keyrings/debian-keyring.gpg"
+
+Again, you might set two handy aliases:
+
+    alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source'
+    alias dget='HOME=/path/to/debian/keyring/output/ dget'
+
+Then you might be happy... for a while :P
+
 See also:
 
 * `dscverify(1)` manpage.
@@ -93,7 +160,7 @@ Creating a new debian source
 ----------------------------
 
     cd ..
-    dpkg-source $package*
+    dpkg-source -b $package*
     debsign $package*.dsc
 
 Building and signing
-- 
cgit v1.2.3