blob: 3f51daedf4bd7b7923e7589553e954445f844018 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
Basic packaging
===============
Getting the debianized source
-----------------------------
Using `dget`:
dget $remote_dsc
cd $package*
Using `apt-get`:
apt-get source package
Checking the source
-------------------
This is the trick part. In theory, you could run just
dscverify *.dsc
Which would check if the signature was made for a key included in the `debian-keyring` package.
In practice, it should always work for sources you download from the **same** Debian version you're running.
But sources you download from newer versions might not work, depending basically if the maintainer's key is
already on the `debian-keyring` you installed.
If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:
gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc
Or you can use the following alias:
dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
This assumes that you initialized the `keyring` submodule and compiled the keyrings:
( cd keyring && make )
We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.
Another option is to get the specific key:
gpg --recv-keys 12345678
Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey
you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
it's signature against `debian-keyring`.
See also:
* `dscverify(1)` manpage.
* [Debian Public Key Server](http://keyring.debian.org/).
* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
Extracting the source
---------------------
If needed, do this after your successfully verified the sources:
dpkg-source -x *.dsc
Getting dependencies
--------------------
To get:
apt-get build-dep package
To remove:
hydractl remove-dep package
Creating the `debian/` structure
--------------------------------
If the package wasn't debianized, proceed with
if [ ! -d "debian" ]; then
dh_make -p ${package}_${version} --createorig
fi
Simple build
------------
dch -i
dpkg-buildpackage -rfakeroot -sa -k$KEY_ID
Creating a new debian source
----------------------------
cd ..
dpkg-source $package*
debsign $package*.dsc
Building and signing
--------------------
To generate signatures, remove `-uc` and `-us` from `dpkg-buildpackage` (see
[Complete build](http://www.debian.org/doc/maint-guide/ch-build.pt-br.html#s-completebuild)):
dpkg-buildpackage -rfakeroot
To sign using an specific key:
dpkg-buildpackage -rfakeroot -kKEY_ID
|