On Wed, Mar 03, 2010 at 04:20:36PM -0500, Michael Gilbert wrote:
> On Wed, 03 Mar 2010 21:58:11 +0100, Frank Lin PIAT wrote:
> > Signed debs may introduce a fake sense of security (Only apt repository
> > provide security updates). By signing packages, user may assume that a
> > package is safe when it isn't.
>
> it should actually be possible to do this securely. dpkg could be
> made to work like apt where it only blindly trusts packages signed
> by keys in /etc/apt/trusted.gpg. the downfall is that there is nothing
> stopping the user from adding additional (potentially less than
> trustworthy keys), but that isn't really solvable without destroying
> freedom, and it isn't any different from the current state for apt.
Completely agreed. Also, because playing around is always more fun than
just talking, I've attached a script that signs/verifies binary
packages. Dpkg doesn't seem to mind the extra files.
This script signs each file in the package individually, but it could
also concatenate them all alphabetically and create just one signature.
Cheers,
harry
#!/bin/sh
usage() {
cat<<EOF
Usage: debsign -s|-v <debfile>
Sign or verify Debian packages
-s sign
-v verify
EOF
}
sign() {
echo "signing ${DEB}:${FILE}"
ar p "${DEB}" "${FILE}" | gpg --detach-sign --output "${SIG}" - && \
ar r "${DEB}" "${SIG}"
}
verify() {
echo "verifying signature of ${DEB}:${FILE}"
ar p "${DEB}" "${FILE}.sig" > "${SIG}" && \
ar p "${DEB}" "${FILE}" | gpg --verify "${SIG}" -
}
[ $# -eq 2 ] || { usage >&2; exit 1; }
DEB="$2"
case "$1" in
-s) OP="sign";;
-v) OP="verify";;
*) usage >&2; exit 1;;
esac
[ -f "${DEB}" ] || { printf "%s\n" "${DEB} not found" >&2; exit 1; }
TMPDIR=`mktemp -d --tmpdir debsign.XXXXXXXXXX`
ar t "${DEB}" | while read FILE; do
[ "${FILE##*.}" != "sig" ] || continue
SIG="${TMPDIR}/${FILE}.sig"
${OP} || exit 1
done
RC=$?
rm "${TMPDIR}"/* 2>/dev/null
rmdir "${TMPDIR}" 2>/dev/null
if [ ${RC} -eq 0 ]; then
echo "OK"
else
echo "Failed"
fi
return ${RC}
