Basic packaging =============== Getting the debianized source ----------------------------- Using `dget`: dget $remote_dsc cd $package* Using `apt-get`: apt-get source package Checking the source ------------------- This is the trick part. In theory, you could run just dscverify *.dsc Which would check if the signature was made for a key included in the `debian-keyring` package. In practice, it should always work for sources you download from the **same** Debian version you're running. But sources you download from newer versions might not work, depending basically if the maintainer's key is already on the `debian-keyring` you installed. If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc Or you can use the following alias: dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' This assumes that you initialized the `keyring` submodule and compiled the keyrings: ( cd keyring && make ) We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. Another option is to get the specific key: gpg --recv-keys 12345678 Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey you just downloaded. The same goes for software you're porting to Debian and that you can't actually check it's signature against `debian-keyring`. See also: * `dscverify(1)` manpage. * [Debian Public Key Server](http://keyring.debian.org/). * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). * [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). Extracting the source --------------------- If needed, do this after your successfully verified the sources: dpkg-source -x *.dsc Getting dependencies -------------------- To get: apt-get build-dep package To remove: hydractl remove-dep package Creating the `debian/` structure -------------------------------- If the package wasn't debianized, proceed with if [ ! -d "debian" ]; then dh_make -p ${package}_${version} --createorig fi Simple build ------------ dch -i dpkg-buildpackage -rfakeroot -sa -k$KEY_ID Creating a new debian source ---------------------------- cd .. dpkg-source $package* debsign $package*.dsc Building and signing -------------------- To generate signatures, remove `-uc` and `-us` from `dpkg-buildpackage` (see [Complete build](http://www.debian.org/doc/maint-guide/ch-build.pt-br.html#s-completebuild)): dpkg-buildpackage -rfakeroot To sign using an specific key: dpkg-buildpackage -rfakeroot -kKEY_ID