summaryrefslogtreecommitdiff
path: root/basics.md
blob: 32cabf0843d69449f58223db416f62aafc99525f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
Basic packaging
===============

Getting the debianized source
-----------------------------

Using `dget`:

    dget $remote_dsc
    cd $package*

Using `apt-get`:

    apt-get source package

Checking the source
-------------------

This is the trick part. In theory, you could run just

    dscverify *.dsc

Which would check if the signature was made for a key included in the `debian-keyring` package.

In practice, it should always work for sources you download from the **same** Debian version you're running.
But sources you download from newer versions might not work, depending basically if the maintainer's key is
already on the `debian-keyring` you installed.

### Using a newer debian-keyring package

You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested
yet but can reduce a lot of complexity that follows.

### Install manually debian-keyring somewhere

If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:

    gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc

You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here):

    DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
                        /path/to/debian/keyring/output/keyrings/debian-keyring.gpg"

Or you can use the following alias:

    alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'

This assumes that you initialized the `keyring` submodule and compiled the keyrings:

    ( cd keyring && make )

We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.

Another option is to get the specific key:

    gpg --recv-keys 12345678

Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey
you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
it's signature against `debian-keyring`.

Things get even trickier when you try to use `dpkg-source`.

Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg`
and point `GNUPGHOME` to this folder you'll still get a weird behavior:

    0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
    dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  1827  100  1827    0     0   2626      0 --:--:-- --:--:-- --:--:--  4911
    dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 26055  100 26055    0     0  20738      0  0:00:01  0:00:01 --:--:-- 27455
    dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2892  100  2892    0     0   4183      0 --:--:-- --:--:-- --:--:--  8078
    ruby-childprocess_0.5.2-1.dsc:
          Good signature found
       validating ruby-childprocess_0.5.2.orig.tar.gz
       validating ruby-childprocess_0.5.2-1.debian.tar.xz
    All files validated successfully.
    gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A
    gpgv: Impossível verificar assinatura: chave pública não encontrada
    dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc
    dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2
    dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz
    dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz
    0 $

What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on
the one available in the `debian-keyring` package.

Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which
you don't really want to fill with keys you actually haven't stablished a proper trust relationship.

As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget`
and `dpkg-source` with

    HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc
    HOME=/path/to/debian/keyring/output/ dget <remote-dsc>

For this trick to work, you'll need to

    ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg )

And also set the `/path/to/debian/keyring/output/.devscripts` to the following content:

    DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
                        ~/keyrings/debian-keyring.gpg"

Again, you might set two handy aliases:

    alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source'
    alias dget='HOME=/path/to/debian/keyring/output/ dget'

Then you might be happy... for a while :P

See also:

* `dscverify(1)` manpage.
* [Debian Public Key Server](http://keyring.debian.org/).
* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).

Extracting the source
---------------------

If needed, do this after your successfully verified the sources:

    dpkg-source -x *.dsc

Getting dependencies
--------------------

To get:

    apt-get build-dep package

To remove:

    hydractl remove-dep package

Creating the `debian/` structure
--------------------------------

If the package wasn't debianized, proceed with

    if [ ! -d "debian" ]; then
      dh_make -p ${package}_${version} --createorig
    fi

Simple build
------------

    dch -i
    dpkg-buildpackage -rfakeroot -sa -k$KEY_ID

Creating a new debian source
----------------------------

    cd ..
    dpkg-source -b $package*
    debsign $package*.dsc

Building and signing
--------------------

To generate signatures, remove `-uc` and `-us` from `dpkg-buildpackage` (see
[Complete build](http://www.debian.org/doc/maint-guide/ch-build.pt-br.html#s-completebuild)):

    dpkg-buildpackage -rfakeroot

To sign using an specific key:

    dpkg-buildpackage -rfakeroot -kKEY_ID