[debhelper-devel] [RFC PATCH v1 0/3] Including file signatures in .deb packages

Mimi Zohar zohar at linux.vnet.ibm.com
Mon Oct 20 19:47:17 UTC 2014 

On Mon, 2014-10-20 at 12:36 -0400, Joey Hess wrote: 
> Mimi Zohar wrote:
> > File signatures are used to enforce local file integrity and to provide
> > file provenance. IMA-appraisal with digital signature support, which
> > enforces local file integrity based on file signatures, was upstreamed
> > in Linux-3.7.  The "ima-sig" measurement list template, which includes
> > file signatures in the measurement list, was upstreamed in Linux-3.13.
> 
> I don't know what you mean by "upstreamed in Linux-3.13" in the context
> of a user-mode tool. Is it in Debian?

There are two package formats .rpm and .deb currently being used.  RHEL
7.0, Ubuntu 14.04, and SLES 12 have enabled IMA/IMA-appraisal.  The last
I looked Debian has not enabled it.

> > This patch set adds debhelper support for adding file signatures to .deb
> > packages and for installing those signatures as 'security.ima' extended
> > attributes at package install time.
> 
> Please file a bug report with this patch.

Ok 

> > The existing md5sums file contains
> > the file hash and name for each file included in the package, making it
> > the most logical place for storing file signatures.  This patch set
> > extends the dh_md5sums debhelper to support additional, larger digests
> > and renames the debhelper to dh_checksums.
> 
> Probably thousands of packages call dh_md5sums manually. What's the
> transition plan? We can't just break all those packages by renaming a
> command.

I assumed as much.  For that reason, the original post left dh_md5sums
alone and defined a new helper called dh_sha256sums.  The feedback
suggested defining a new generic debhelper called dh_checksums to
support larger hashes.  Sorry for the misunderstanding.  The next post
will not remove the dh_md5sums.

> > Depending on the relationship of the build and signing server, the
> > signatures could either be included in the checksums files during the
> > package build process or post build.  Included in this patch set is a
> > sample script that opens the package, extracts the checksums file,
> > includes the file signatures, and inserts the modified checksums file
> > with the file signatures in the deb package.
> 
> I can't see how that could possibly be useful in the context of Debian.
> Modifying a deb after it's uploaded will invalidate the signature in the
> changes file, etc.

Ok.  As the package owner should not have access to the distro's private
key, either the package owner, before uploading the package, would
request the files be signed by the distro's signing server or, for
testing, would sign it with their own key.  Somehow the file signatures
need to be included in the package.
  
Mimi

More information about the debhelper-devel mailing list