File: 28-gpg.txt

package info (click to toggle)
debmake-doc 1.14-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 7,256 kB
  • sloc: sh: 674; makefile: 469; python: 146; ansic: 114; sed: 16
file content (68 lines) | stat: -rw-r--r-- 2,834 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
 
[[signing-key]]
=== debian/upstream/signing-key.asc

Some packages are signed by a GPG key.

For example, https://www.gnu.org/software/hello/[GNU hello] can be downloaded via HTTP from https://ftp.gnu.org/gnu/hello/ .  There are sets of files:

* *hello-*'version'*.tar.gz* (upstream source)
* *hello-*'version'*.tar.gz.sig* (detached signature)

Let's pick the latest version set.

----
$ wget https://ftp.gnu.org/gnu/hello/hello-2.9.tar.gz
 ...
$ wget https://ftp.gnu.org/gnu/hello/hello-2.9.tar.gz.sig
 ...
$ gpg --verify hello-2.9.tar.gz.sig
gpg: Signature made Thu 10 Oct 2013 08:49:23 AM JST using DSA key ID 80EE4A00
gpg: Can't check signature: public key not found
----

If you know the public GPG key of the upstream maintainer from the mailing list, use it as the *debian/upstream/signing-key.asc* file.  Otherwise, use the hkp keyserver and check it via your https://en.wikipedia.org/wiki/Web_of_trust[web of trust].

----
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 80EE4A00
gpg: requesting key 80EE4A00 from hkp server keys.gnupg.net
gpg: key 80EE4A00: public key "Reuben Thomas <rrt@sc3d.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --verify hello-2.9.tar.gz.sig
gpg: Signature made Thu 10 Oct 2013 08:49:23 AM JST using DSA key ID 80EE4A00
gpg: Good signature from "Reuben Thomas <rrt@sc3d.org>"
  ...
Primary key fingerprint: 9297 8852 A62F A5E2 85B2  A174 6808 9F73 80EE 4A00
----

TIP:  If your network environment blocks access to the HKP port *11371*, use ``*hkp://keyserver.ubuntu.com:80*'' instead.

After confirming the key ID *80EE4A00* is a trustworthy one, download its public key into the *debian/upstream/signing-key.asc* file.

----
$ gpg --armor --export 80EE4A00 >debian/upstream/signing-key.asc
----

Then set the corresponding *debian/watch* file as follows.

----
version=4
pgpsigurlmangle=s/$/.sig/  https://ftp.gnu.org/gnu/hello/ hello-(\d[\d.]*)\.tar\.(?:gz|bz2|xz)
----

Now the *uscan* command will check the authenticity of the package using the GPG signature.

[[dfsg]]
=== debian/watch and DFSG

Debian takes software freedom seriously and follows the https://www.debian.org/social_contract.html#guidelines[DFSG].

The non-https://www.debian.org/social_contract.html#guidelines[DFSG] components in the upstream source tarball can be easily removed when the *uscan* command is used to update the Debian package.

* List the files to be removed in the *Files-Excluded* stanza of the  *debian/copyright* file.
* List the URL to download the upstream tarball in the *debian/watch* file.
* Run the *uscan* command to download the new upstream tarball.
** Alternatively, use the ``*gbp import-orig --uscan --pristine-tar*'' command.
* The resulting tarball has the version number with an additional suffix *+dfsg*.