[debhelper-devel] [RFC PATCH v1 0/3] Including file signatures in .deb packages
Joey Hess
joeyh at debian.org
Mon Oct 20 16:36:34 UTC 2014
Mimi Zohar wrote:
> File signatures are used to enforce local file integrity and to provide
> file provenance. IMA-appraisal with digital signature support, which
> enforces local file integrity based on file signatures, was upstreamed
> in Linux-3.7. The "ima-sig" measurement list template, which includes
> file signatures in the measurement list, was upstreamed in Linux-3.13.
I don't know what you mean by "upstreamed in Linux-3.13" in the context
of a user-mode tool. Is it in Debian?
> This patch set adds debhelper support for adding file signatures to .deb
> packages and for installing those signatures as 'security.ima' extended
> attributes at package install time.
Please file a bug report with this patch.
> The existing md5sums file contains
> the file hash and name for each file included in the package, making it
> the most logical place for storing file signatures. This patch set
> extends the dh_md5sums debhelper to support additional, larger digests
> and renames the debhelper to dh_checksums.
Probably thousands of packages call dh_md5sums manually. What's the
transition plan? We can't just break all those packages by renaming a
command.
> Depending on the relationship of the build and signing server, the
> signatures could either be included in the checksums files during the
> package build process or post build. Included in this patch set is a
> sample script that opens the package, extracts the checksums file,
> includes the file signatures, and inserts the modified checksums file
> with the file signatures in the deb package.
I can't see how that could possibly be useful in the context of Debian.
Modifying a deb after it's uploaded will invalidate the signature in the
changes file, etc.
--
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/debhelper-devel/attachments/20141020/d282a6a1/attachment.sig>
More information about the debhelper-devel
mailing list