[[!meta title="Checking the source"]] Debian Images ------------- See [Verifying authenticity of Debian CDs](https://www.debian.org/CD/verify). Source packages --------------- This is the trick part. In theory, you could run just dscverify *.dsc Which would check if the signature was made for a key included in the `debian-keyring` package or if you have a verification path with the signing key. In practice, it should always work for sources you download from the **same** Debian version you're running. But sources you download from newer versions might not work, depending basically if the maintainer's key is already on the `debian-keyring` you installed. ### Using a newer debian-keyring package You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested yet but can reduce a lot of complexity that follows. ### Install manually debian-keyring somewhere If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the a way for you to get the keyring directly from https://keyring.debian.org: make keyring We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring: gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --verify *.dsc You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here): DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg: /path/to/debian/keyring/keyrings/debian-keyring.gpg:/path/to/debian/keyring/keyrings/debian-maintainers.gpg" Or you can use the following alias: alias dscverify='dscverify --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --keyring /path/to/debian/keyring/keyrings/debian-maintainers.gpg' ### Manually getting the key Another option is to get the specific key: gpg --recv-keys 12345678 Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey you just downloaded. The same goes for software you're porting to Debian and that you can't actually check it's signature against `debian-keyring`. ### Issues with dpkg-source Things get even trickier when you try to use `dpkg-source`. See [Debian Bug report logs - #852019 gpgv: unknown type of key resource 'trustedkeys.kbx'](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852019) for details. Even if you merge both `keyring/keyrings/debian-keyring.gpg` `keyring/keyrings/debian-maintainers.gpg` into some file like `keyring/keyrings/pubring.kbx`, symlink it as `keyring/keyrings/trustedkeys.gpg` and point `GNUPGHOME` to this folder you'll still get a weird behavior: 0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1827 100 1827 0 0 2626 0 --:--:-- --:--:-- --:--:-- 4911 dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 26055 100 26055 0 0 20738 0 0:00:01 0:00:01 --:--:-- 27455 dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2892 100 2892 0 0 4183 0 --:--:-- --:--:-- --:--:-- 8078 ruby-childprocess_0.5.2-1.dsc: Good signature found validating ruby-childprocess_0.5.2.orig.tar.gz validating ruby-childprocess_0.5.2-1.debian.tar.xz All files validated successfully. gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A gpgv: Impossível verificar assinatura: chave pública não encontrada dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2 dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz 0 $ What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on the one available in the `debian-keyring` package. Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which you don't really want to fill with keys you actually haven't stablished a proper trust relationship. As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget` and `dpkg-source` with HOME=/path/to/debian/keyring/ dpkg-source -x $package*dsc HOME=/path/to/debian/keyring/ dget For this trick to work, you'll need to run make keyring Again, you might set two handy aliases for your shell: alias dpkg-source='HOME=/path/to/debian/keyring/keyrings/ dpkg-source' alias dget='HOME=/path/to/debian/keyring/keyrings/ dget' Optionally, as a last touch, import your own key into this keyring: gpg --armor --export $KEYID | \ gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/.gnupg/trustedkeys.gpg --import Then you might be happy... for a while :P See also: * `dscverify(1)` manpage. * [Debian Public Key Server](http://keyring.debian.org/) and it's [workflow](https://keyring.debian.org/keyring-workflow.html). * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). * [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).