On 03/24/2014 07:51 PM, Russ Allbery wrote: > I'm curious -- why do we have two different supported paths? At least in > my experience the ASCII-armored key is much easier to deal with, since you > don't have to configure dpkg to allow binary files in the debian > directory. I'm not sure that I see any drawback to just saying to always > use the *.asc form.
we actually have three supported paths at the moment:
debian/upstream-signing-key.pgp
debian/upstream/signing-key.pgp
debian/upstream/signing-key.asc
the first was my first implementation of this mechanism. the binary
form is easiest to use directly with gpgv, which was the only additional
dependency.
Later, James McCoy moved the file to debian/upstream/ (which i didn't
know existed when i made the original implementation) and added code to
support the *.asc version. the *.asc version can only be checked if
gnupg is available, apparently (though it should be easy enough to just
use perl's MIME::Base64 to convert if we wanted to drop the gnupg
dependency and just leave it depending on gpgv)
I'd be happy to see us settle on one single location, and if folks think
that the .asc version is the better option, updating lintian to nag
about the other ones until they go away seems doable before we freeze
for jessie. I'll even file patches or do NMUs for packages that need
them if a lintian tag appears.
Thinking further, I wonder if we should also encourage packagers to
store the detached signature itself in the packaging directly (e.g.
maybe in debian/upstream/signature.asc), so that the upstream tarball
can be re-verified against the signing key even if the upstream archive
goes offline; maybe that's a separate issue.
> Another comment based on my personal experience with this is that, if the
> packager is generating this key by exporting a key from a keyring (for
> example, for the packages for which I'm also upstream, I'm exporting my
> own key), they should do so with --export-options export-minimal. It
> makes the file *much* smaller, and I don't think there's any need to
> include all of the key signatures. The mere presence of this key in the
> (signed) Debian source package already indicates the trust relationship
> that's relevant for this purpose, and the end user can always retrieve
> additional key signatures from a public keyserver if they really want
> them.
Yes, i do the same thing, and I agree with your security analysis of the
reasons for having (or not having) any OpenPGP certifications on the
upstream signing key(s) beyond the self-sigs.
That said, if a debian packager wants to include extra OpenPGP
certifications of moderate length, i don't think we should forbid them
from doing so (i can imagine a packager wanting to include their own
certification if they have made one, for example).
> I use:
>
> gpg --export --armor --export-options export-minimal <key> \
> > debian/upstream/signing-key.asc
i think that's good advice, though i don't know whether it belongs in
debian-policy or developers-reference.
--dkg
signature.asc
Description: OpenPGP digital signature
