Basic packaging
===============

Getting the debianized source
-----------------------------

Using `dget`:

    dget $remote_dsc
    cd $package*

Using `apt-get`:

    apt-get source package

Checking the source
-------------------

This is the trick part. In theory, you could run just

    dscverify *.dsc

Which would check if the signature was made for a key included in the `debian-keyring` package.

In practice, it should always work for sources you download from the **same** Debian version you're running.
But sources you download from newer versions might not work, depending basically if the maintainer's key is
already on the `debian-keyring` you installed.

If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:

    gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc

Or you can use the following alias:

    dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'

This assumes that you initialized the `keyring` submodule and compiled the keyrings:

    ( cd keyring && make )

We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.

Another option is to get the specific key:

    gpg --recv-keys 12345678

Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey 
you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
it's signature against `debian-keyring`.

See also:

* `dscverify(1)` manpage.
* [Debian Public Key Server](http://keyring.debian.org/).
* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).

Extracting the source
---------------------

If needed, do this after your successfully verified the sources:

    dpkg-source -x *.dsc

Getting dependencies
--------------------

To get:

    apt-get build-dep package

To remove:

    hydractl remove-dep package

Creating the `debian/` structure
--------------------------------

If the package wasn't debianized, proceed with

    if [ ! -d "debian" ]; then
      dh_make -p ${package}_${version} --createorig
    fi

Simple build
------------

    dch -i
    dpkg-buildpackage -rfakeroot -sa -k$KEY_ID

Creating a new debian source
----------------------------

    cd ..
    dpkg-source $package*
    debsign $package*.dsc

Building and signing
--------------------

To generate signatures, remove `-uc` and `-us` from `dpkg-buildpackage` (see
[Complete build](http://www.debian.org/doc/maint-guide/ch-build.pt-br.html#s-completebuild)):

    dpkg-buildpackage -rfakeroot

To sign using an specific key:

    dpkg-buildpackage -rfakeroot -kKEY_ID