From: Silvio Rhatto Date: Sat, 20 Sep 2014 00:49:14 +0000 (-0300) Subject: Checking sources: dscverify and debian-keyring X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=6b45760cac4a0f25152aa87e6cc667a25a1a476b;p=debian.git Checking sources: dscverify and debian-keyring --- diff --git a/README.md b/README.md index f72b32b..d9d173d 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ to Debian. These notes are mainly references to the detailed Debian/Ubuntu documentations we're using in the course of learning the intricacies of Debian packaging. +Grab this repository using + + git clone --recursive git://git.sarava.org/debian.git + Configuration files ------------------- diff --git a/TODO.md b/TODO.md index bc63e1d..bb50741 100644 --- a/TODO.md +++ b/TODO.md @@ -1,6 +1,11 @@ TODO ==== +Repositories +------------ + +* Merge all `build-area` folders. + Backport -------- diff --git a/basics.md b/basics.md index 166b31e..dd43c1b 100644 --- a/basics.md +++ b/basics.md @@ -16,21 +16,52 @@ Using `apt-get`: Checking the source ------------------- -Get the key if needed +This is the trick part. In theory, you could run just - gpg --recv-keys 12345678 + dscverify *.dsc -Checking the source +Which would check if the signature was made for a key included in the `debian-keyring` package. - dscverify *.dsc +In practice, it should always work for sources you download from the **same** Debian version you're running. +But sources you download from newer versions might not work, depending basically if the maintainer's key is +already on the `debian-keyring` you installed. -Extracting: +If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the +form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder: - dpkg-source -x *.dsc + gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc + +Or you can use the following alias: + + dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg' + +This assumes that you initialized the `keyring` submodule and compiled the keyrings: + + ( cd keyring && make ) + +We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring. + +Another option is to get the specific key: + + gpg --recv-keys 12345678 + +Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey +you just downloaded. The same goes for software you're porting to Debian and that you can't actually check +it's signature against `debian-keyring`. See also: +* `dscverify(1)` manpage. +* [Debian Public Key Server](http://keyring.debian.org/). * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working). +* [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283). + +Extracting the source +--------------------- + +If needed, do this after your successfully verified the sources: + + dpkg-source -x *.dsc Getting dependencies --------------------