I'm releasing these things now... have them in development and use for a couple weeks/months now.
A Python module for doing debsigs-type package signatures and
verification thereof. Uses and included module for GnuPG file
signatures and verification.
It also includes a miniscript that, given a .changes file, signs the
.deb, the .dsc and the .changes file (with the md5s in .changes
adjusted).
jerhard.org/files/python-debsigs-snapshot.tar.gz
This one is infrastructure for verification of packages based on
Release/Release.gpg.
jerhard.org/files/verifydebs-snapshot.tar.gz
Both are a bit underdocumented (meaning: no docs at all), so Use the
Source, Luke.
Hope someone will like it. I do ;-)
I'm also *very* much interested in finding out what is insecurely
done. It could be improved by using the Python gpgme wrapper. Any
patches are *very* welcome!
Bye, J
PS: Yes, a crosspost, but both packages are linked (verifydebs uses
python-debsigs), and both have stuff for developers and users. Flame
me anyway, if you must ;-)
--
Jürgen A. Erhard
Invasion! http://invasion.jerhard.org
I'm a FIG (http://www.fig.org)
Ach, wir Paranoiker sind schon irgendwie verrückt.
pgp00000.pgp
Description: PGP signature
