Linux Debian Package

Preparation

Run the CORE Setup tasks.

CORE Client

Installation of debsigs:

  1. Install debsigs if not installed.

  2. sudo apt install debsigs

    It also installs the debsig-verify tool. See Verification.

  3. Obtain the Unbound version of debsigs from here.

  4. Replace the installed debsigs file with the file downloaded in step 2 and make it executable. For example:

  5. which debsigs /usr/bin/debsigs
    sudo mv /usr/bin/debsigs /usr/bin/debsigs.original sudo mv ./debsigs /usr/bin/debsigs sudo chmod 777 /usr/bin/debsigs
  6. Check: run debsigs without parameters. Make sure that it presents CORE-specific options that are specified in the README.

Signing

To sign the content of a .deb file and to integrate the signature(s) within the file, run debsigs using its standard options and specifying the UID of the signing key.

Syntax:

debsigs --sign=<--sign options as defined in debsigs man page> // origin, maint, archive <file-name>.deb // file to be signed <ucl sign parameters required to specify the signing key and the user's credentials> [--verbose] // to display the signing command

Output:

  • If successfully signed, there is no output.
  • Otherwise, an error message is presented.

Examples:

In the following examples, we sign test.deb using signkey1 from the signkeys partition. Assume that signkey1 UID is e0c2f1b87de82d9.

  • The mysignkeys partition is one of many client's partitions, and the command is performed on behalf of the user by name signer1 with password *******:

    debsigs --sign=origin -u e0c2f1b87de82d9 -p mysignkeys --user signer1 --password ****** test.deb

Tip
Use the --verbose option to show the CORE command executed by debsigs:
*** Processing file test.db
RUNNING: ucl sign -i /dev/stdin --out-format PGPClosedPretty Good Privacy - PKI implementation-ARMOR -hash SHA256 -u e0c2f1b87de82d9.
Archive signed successfully

Verification

To verify the signature of the Debian package, use the debsig-verify command.

Debsig Verify Infrastructure

Examine the infrastructure in use by the tool. You will be using the specified directories and namespaces.

debsig-verify --version
Debsig Program Version - 0.18 Signature Version - 1.0 Signature Namespace - https://www.debian.org/debsig/1.0/ Policies Directory - /etc/debsig/policies Keyrings Directory - /usr/share/debsig/keyrings

Debsig Verify Preparation

Perform the following steps:

  1. Use Export PGP Public Key to obtain the public key of the certificate in PGPClosedPretty Good Privacy - PKI implementation file format. The export command requires the following parameters:

    ucl export -n signkey1 -f PGP -o signkey1.pgp -p mysignkeys --user signer1 --password ******

  2. Obtain its PGPClosedPretty Good Privacy - PKI implementation Key ID.
  3. gpg --list-packets signkey1.pgp | grep keyid

    keyid: 2CBDEBD7B3B59588

  4. Use the keyId in naming the following policy and keyring folders according to the paths detected in Debsig Verify Infrastructure:
  5. sudo mkdir /usr/share/debsig/keyrings/2CBDEBD7B3B59588
    sudo mkdir /etc/debsig/policies/2CBDEBD7B3B59588

  6. Import signkey1.pgp into the new keyring and name it debsig.gpg:
  7. sudo touch /usr/share/debsig/keyrings/2CBDEBD7B3B59588/debsig.gpg sudo gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/2CBDEBD7B3B59588/debsig.gpg --import signkey1.pgp
  8. Create the debsig.pol file in the folder /etc/debsig/policies/2CBDEBD7B3B59588
  9. <?xml version="1.0"?> <!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd"> <Policy xmlns="https://www.debian.org/debsig/1.0/"> <Origin Name="test" id="8C96D305FA28E1EF" Description="UnboundTech"/> <Selection> <Required Type="origin" File="debsig.gpg" id="2CBDEBD7B3B59588"/> </Selection> <Verification MinOptional="0"> <Required Type="origin" File="debsig.gpg" id="2CBDEBD7B3B59588"/> </Verification> </Policy>

    Note
    Replace <Policy xmlns="https://www.debian.org/debsig/1.0/"> according to the
    Signature Namespace - https://www.debian.org/debsig/1.0/ that was detected in Debsig Verify Infrastructure.
    In particular, for debsig-verify release 0.17 and earlier, use
    <Policy xmlns="http://www.debian.org/debsig/1.0/">

Verification

Run the verification command:

    debsig-verify -v test.deb

    debsig: Starting verification for: test.deb

    debsig: Using policy directory: /etc/debsig/policies/2CBDEBD7B3B59588
    debsig: Parsing policy file: /etc/debsig/policies/2CBDEBD7B3B59588/debsig.pol
    debsig: Checking Selection group(s). debsig: Processing 'origin' key...
    debsig: Selection group(s) passed, policy is usable.

    debsig: Using policy file: /etc/debsig/policies/2CBDEBD7B3B59588/debsig.pol
    debsig: Checking Verification group(s).
    debsig: Processing 'origin' key...
    debsig: Verification group(s) passed, deb is validated.

    debsig: Verified package from 'UnboundTech' (test)

Troubleshooting

No applicable policy found:

    debsig-verify -v test.deb

    debsig: No applicable policy found.

Rerun the command with the debug flag and follow the instructions. For example:

    debsig-verify -d test.deb

    debsig: 3: policy name space != https://www.debian.org/debsig/1.0/
    debsig: parsePolicyFile: 1 errors during parsing, failed
    debsig: No applicable policy found.

Action: Fix the <Policy xmlns= > value in the debsig.pol file to the one specified in the debug output.