我发现使用
debsigs
和 debsig-verify
设置 deb 文件签名和签名验证非常困难。有一个旧的 HOWTO 被广泛引用,但至少对于这些工具的当代版本不起作用。
我最终确实让它发挥了作用,所以我将这个问题与我的答案一起发布,以防对其他人有所帮助。经过足够的挖掘后,我遇到的每一个挑战都有解决方案,但我找不到任何将它们联系在一起形成有效流程的东西。
这是基于
debsigs 0.1.26
和
debsig-verify 1.20.9
。debsigs
后,您可以在
/usr/share/doc/debsig-verify/
下找到详细信息,位于:
policy-syntax.txt
examples/
debsig-verify
debsigs
签名的软件包,而不是 dpkg-sig
相关目录名称和命令选项暗示您使用密钥环文件
debsig-verify --version
debsigs
cut
# create key
gpg --full-generate-key
# follow prompts; for testing it's easier to use no passphrase
# add key for debsigs in KEY_ID dir
KEY_ID=`echo -n <key fingerprint> | cut -c25-`
echo -n $KEY_ID | wc -c # must be 16 chars
KEY_DIR=/usr/share/debsig/keyrings/$KEY_ID
mkdir $KEY_DIR
gpg --export $KEY_ID > $KEY_DIR/debsig.gpg # not ascii & not a keyring
# create XML policy
POL_DIR=/etc/debsig/policies/$KEY_ID
mkdir $POL_DIR
vi $POL_DIR/my-app.pol
# copy/paste example from /usr/share/doc/debsig-verify/examples/
replace example id= value w/ $KEY_ID
replace File= value with debsig.gpg
# sign package
debsigs --sign=origin --default-key=$KEY_ID my-app-2.1.0.deb
# You should be prompted for key's passphrase - if not, sort that out directly w/ gpg first
# if there is a KDE desktop running, the prompt may pop-up in the GUI in a dialog box
# verify package
debsig-verify --debug --verbose my-app-2.1.0.deb
# utility commands
# show signature in .deb
debsigs --list my-app-2.1.0.deb
# note: some debsigs versions (0.01.19) crash when signature starts with comment
# upgrade to newer version (0.1.26)
# show gpg packets from signature file
ar x my-app-2.1.0.deb _gpgorigin # extract the signature
gpg --list-packets _gpgorigin