Home > Linux > Signing .deb packages

Signing .deb packages

February 5, 2009 Leave a comment Go to comments

Okay, so here’s the scenario: you distribute .deb packages without an apt repository, but want to start signing your packages to ensure they aren’t corrupted or tampered with during transit to your users. I say “without an apt repository” since apt has its own mechanism for signing whole releases, via SecureApt.

The tools you are expected to use for this purpose are debsign and debsig-verify. Unfortunately I found the documentation for these to be pretty thin and ended up having to read the source of debsig-verify to work out what was expected of a signed package.

So hopefully to prevent others from having to trawl through source code, below are steps you could follow to sign your own .deb packages. My method is somewhat contra to the prescribed method from Debian, however it is the only way I’ve managed to get working.  Please suggest better methods if you know them.

The steps I performed were:

  1. Create your GPG signing key, run
    $ gpg --gen-key
    and follow the steps.
  2. Sign the .deb with your private key, without using debsign (please comment if you get debsign to work for you, I couldn’t…).
    1. Take an existing .deb and unpack it:
      $ ar x my_package_1_0_0.deb
    2. Concatenate its contents (the order is important), and output to a temp file:
      $ cat debian-binary control.tar.gz data.tar.gz > /tmp/combined-contents
    3. Create a GPG signature of the concatenated file, calling it _gpgorigin:
      $ gpg -abs -o _gpgorigin /tmp/combined-contents
    4. Finally, bundle the .deb up again, including the signature file:
      $ ar rc my_package_1_0_0.deb \
          _gpgorigin debian-binary control.tar.gz data.tar.gz
  3. Export your signing public key and determine its key id.
    1. Export your public key:
      $ gpg --export -a > my-debsig.asc
    2. Extract the key id by taking the last 4 chunks of the fingerprint, CA58BC6A0695623E in this case. We always use it without the spaces:
      $ gpg --fingerprint
      /home/floyd/.gnupg/pubring.gpg
      ------------------------------
      pub 1024D/0695623E 2009-02-04
      Key fingerprint = 6577 AAB2 8850 9E0B 1059 C510 CA58 BC6A 0695 623E
      uid Purple (Floyd) <--your email address-->
      sub 2048g/EB122979 2009-02-04
  4. Setup the machine(s) that will be downloading and verifying the package.
    1. Install the debsig-verify package:
      $ apt-get install debsig-verify
    2. Import the public key into the debsig keyring:
      $ mkdir /usr/share/debsig/keyrings/[key_id]
      $ gpg --no-default-keyring --keyring \
          /usr/share/debsig/keyrings/[key_id]/debsig.gpg --import my-debsig.asc
    3. Configure a policy for the key, policies are discussed in some detail in /usr/share/doc/debsig-verify. The policy file needs to be kept in /etc/debsig/policies/[key_id]/[policy_name].pol. Mine looks like this:
      <?xml version="1.0"?>
      <!DOCTYPE Policy SYSTEM "http://www.debian.org/debsig/1.0/policy.dtd">
      <Policy xmlns="http://www.debian.org/debsig/1.0/">

      <Origin Name="PurpleFloyd" id="CA58BC6A0695623E"
      Description="Another package from PurpleFloyd"/>

      <Selection>
      <Required Type="origin" File="debsig.gpg" id="CA58BC6A0695623E"/>
      </Selection>

      <Verification MinOptional="0">
      <Required Type="origin" File="debsig.gpg" id="CA58BC6A0695623E"/>
      </Verification>

      </Policy>

  5. You should now be able to verify the package using debsig-verify, i.e.:
    $ debsig-verify my_package_1_0_0.deb
    debsig: Verified package from `PurpleFloyd' (Another package from PurpleFloyd)

Et voila! You have signed and verified a debian package.

Note: on most distros, dpkg/apt will not check the signature of a package when installing it, even if a signature is present. This checking can be enabled by removing the --no-debsig line from /etc/dpkg/dpkg.cfg.

About these ads
Tags: , , ,
  1. February 17, 2009 at 9:22 pm | #1

    debsigs actually works, you just need to specify the type of signature For example:

    debsigs –sign=origin test.deb

    will sign the debian package. The problem here is that on Ubuntu, dpkg and gdebi uses different ar format. A deb package signed by debsigs will not work with gdebi because of this bug. It will install via dpkg.

  2. Stefan
    July 15, 2010 at 12:56 pm | #2

    debsign works for me if i specify which key to use with -k.

    • January 18, 2012 at 1:25 pm | #3

      Hey can you please provide me the exact command which worked for you guys, for signing debian package using command.

      Thanks,
      Girish.L.C

      • January 18, 2012 at 1:43 pm | #4

        hey dude it worked for me,

        problem is, there is – - instead of — sign

        debsigs –sign=origin packagename.deb (note* 2 hiphens) :)

  3. April 8, 2011 at 12:42 am | #5

    Excellent! I was also able to get debsigs to work with:

    debsigs –sign=origin –default-key=xx test.deb

    Btw, you might want to see if you can remove those curly quotes from your example policy. It took me forever to realize why my policy was being rejected.

    • April 8, 2011 at 12:48 am | #6

      The argument to –sign is simply appended to _gpg for the filename. And it looks like multiple types of signatures can coexist. Later signatures ignore any existing _gpg* files when signing.

    • purple floyd
      April 10, 2011 at 11:26 am | #7

      Curly quotes now fixed, ta.

  4. August 23, 2011 at 12:50 am | #8

    how come debsig treats the name as the description and the description as the name?

    hpmini@ubuntu:~/deb/fact-sig$ sudo debsig-verify my_package_1_0_0.deb
    debsig: Verified package from `Packages from NullCity’ (Brandon Zerick)
    hpmini@ubuntu:~/deb/fact-sig$

    heres my policy:

  5. Rduke15
    November 15, 2012 at 11:17 pm | #9

    Why not use dpkg-sig -s builder -k $YOURKEY *.deb ? Seems to work fine.

  6. February 25, 2014 at 2:17 pm | #10

    Siding Substitute – This advancement adds instant curb appeal to your home.
    If your water heater is well cared for, it’ll run better and last much longer.
    A handyman might not have the skill to do home improvements.

  7. March 19, 2014 at 7:05 am | #11

    Various drive and screw into the ground mounting systems are available.
    If you want to search the finest kind of home improvement loan that will fulfill your need the best place is to surf online.
    Try to approach projects with baby steps while keeping your mind
    open to new ideas.

  1. June 20, 2009 at 8:30 pm | #1
  2. June 27, 2011 at 9:23 am | #2
  3. February 11, 2012 at 2:39 pm | #3
  4. February 11, 2012 at 2:39 pm | #4
  5. February 11, 2012 at 8:12 pm | #5
  6. February 12, 2012 at 5:29 pm | #6
  7. September 19, 2012 at 4:37 pm | #7
  8. January 17, 2013 at 9:49 pm | #8
  9. March 8, 2013 at 1:39 pm | #9
  10. December 26, 2013 at 5:55 pm | #10

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: