Checking the source
-------------------
-This is the trick part. In theory, you could run just
-
- dscverify *.dsc
-
-Which would check if the signature was made for a key included in the `debian-keyring` package.
-
-In practice, it should always work for sources you download from the **same** Debian version you're running.
-But sources you download from newer versions might not work, depending basically if the maintainer's key is
-already on the `debian-keyring` you installed.
-
-### Using a newer debian-keyring package
-
-You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested
-yet but can reduce a lot of complexity that follows.
-
-### Install manually debian-keyring somewhere
-
-If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
-form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:
-
- gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc
-
-You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here):
-
- DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
- /path/to/debian/keyring/output/keyrings/debian-keyring.gpg"
-
-Or you can use the following alias:
-
- alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
-
-This assumes that you initialized the `keyring` submodule and compiled the keyrings:
-
- ( cd keyring && make )
-
-We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.
-
-Another option is to get the specific key:
-
- gpg --recv-keys 12345678
-
-Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey
-you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
-it's signature against `debian-keyring`.
-
-Things get even trickier when you try to use `dpkg-source`.
-
-Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg`
-and point `GNUPGHOME` to this folder you'll still get a weird behavior:
-
- 0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
- dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 1827 100 1827 0 0 2626 0 --:--:-- --:--:-- --:--:-- 4911
- dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 26055 100 26055 0 0 20738 0 0:00:01 0:00:01 --:--:-- 27455
- dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 2892 100 2892 0 0 4183 0 --:--:-- --:--:-- --:--:-- 8078
- ruby-childprocess_0.5.2-1.dsc:
- Good signature found
- validating ruby-childprocess_0.5.2.orig.tar.gz
- validating ruby-childprocess_0.5.2-1.debian.tar.xz
- All files validated successfully.
- gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A
- gpgv: Impossível verificar assinatura: chave pública não encontrada
- dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc
- dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2
- dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz
- dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz
- 0 $
-
-What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on
-the one available in the `debian-keyring` package.
-
-Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which
-you don't really want to fill with keys you actually haven't stablished a proper trust relationship.
-
-As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget`
-and `dpkg-source` with
-
- HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc
- HOME=/path/to/debian/keyring/output/ dget <remote-dsc>
-
-For this trick to work, you'll need to
-
- ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg )
-
-And also set the `/path/to/debian/keyring/output/.devscripts` to the following content:
-
- DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
- ~/keyrings/debian-keyring.gpg"
-
-Again, you might set two handy aliases:
-
- alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source'
- alias dget='HOME=/path/to/debian/keyring/output/ dget'
-
-As a last touch, import your own key into this keyring:
-
- gpg --armor --export $KEYID | \
- gpg --no-default-keyring --keyring /path/to/debian/keyring/output/.gnupg/trustedkeys.gpg --import
-
-Then you might be happy... for a while :P
-
-See also:
-
-* `dscverify(1)` manpage.
-* [Debian Public Key Server](http://keyring.debian.org/).
-* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
-* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
+See `checking.md`.
Extracting the source
---------------------
--- /dev/null
+Checking the source
+===================
+
+This is the trick part. In theory, you could run just
+
+ dscverify *.dsc
+
+Which would check if the signature was made for a key included in the `debian-keyring` package.
+
+In practice, it should always work for sources you download from the **same** Debian version you're running.
+But sources you download from newer versions might not work, depending basically if the maintainer's key is
+already on the `debian-keyring` you installed.
+
+### Using a newer debian-keyring package
+
+You might want to try a newer `debian-keyring` package (for testing or unstable), which we haven't tested
+yet but can reduce a lot of complexity that follows.
+
+### Install manually debian-keyring somewhere
+
+If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
+form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:
+
+ gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc
+
+You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here):
+
+ DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
+ /path/to/debian/keyring/output/keyrings/debian-keyring.gpg"
+
+Or you can use the following alias:
+
+ alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
+
+This assumes that you initialized the `keyring` submodule and compiled the keyrings:
+
+ ( cd keyring && make )
+
+We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.
+
+Another option is to get the specific key:
+
+ gpg --recv-keys 12345678
+
+Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey
+you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
+it's signature against `debian-keyring`.
+
+Things get even trickier when you try to use `dpkg-source`.
+
+Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg`
+and point `GNUPGHOME` to this folder you'll still get a weird behavior:
+
+ 0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
+ dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 1827 100 1827 0 0 2626 0 --:--:-- --:--:-- --:--:-- 4911
+ dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 26055 100 26055 0 0 20738 0 0:00:01 0:00:01 --:--:-- 27455
+ dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz
+ % Total % Received % Xferd Average Speed Time Time Time Current
+ Dload Upload Total Spent Left Speed
+ 100 2892 100 2892 0 0 4183 0 --:--:-- --:--:-- --:--:-- 8078
+ ruby-childprocess_0.5.2-1.dsc:
+ Good signature found
+ validating ruby-childprocess_0.5.2.orig.tar.gz
+ validating ruby-childprocess_0.5.2-1.debian.tar.xz
+ All files validated successfully.
+ gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A
+ gpgv: Impossível verificar assinatura: chave pública não encontrada
+ dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc
+ dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2
+ dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz
+ dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz
+ 0 $
+
+What happened here is that `dscverify` honoured our custom configuration above while `dpkg-source` is still relying on
+the one available in the `debian-keyring` package.
+
+Even if you remove the `debian-keyring` package, it will still fallback to your `$HOME/.gnupg/trustedkeys.gpg` which
+you don't really want to fill with keys you actually haven't stablished a proper trust relationship.
+
+As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget`
+and `dpkg-source` with
+
+ HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc
+ HOME=/path/to/debian/keyring/output/ dget <remote-dsc>
+
+For this trick to work, you'll need to
+
+ ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg )
+
+And also set the `/path/to/debian/keyring/output/.devscripts` to the following content:
+
+ DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
+ ~/keyrings/debian-keyring.gpg"
+
+Again, you might set two handy aliases:
+
+ alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source'
+ alias dget='HOME=/path/to/debian/keyring/output/ dget'
+
+As a last touch, import your own key into this keyring:
+
+ gpg --armor --export $KEYID | \
+ gpg --no-default-keyring --keyring /path/to/debian/keyring/output/.gnupg/trustedkeys.gpg --import
+
+Then you might be happy... for a while :P
+
+See also:
+
+* `dscverify(1)` manpage.
+* [Debian Public Key Server](http://keyring.debian.org/).
+* [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
+* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
+
projects / debian.git / commitdiff