Linux Debian Package
Preparation
Run the CORE Setup tasks.
CORE Client
Installation of debsigs
:
-
Install
debsigs
if not installed. -
Obtain the Unbound version of
debsigs
from here. -
Replace the installed
debsigs
file with the file downloaded in step 2 and make it executable. For example: -
Check: run
debsigs
without parameters. Make sure that it presents CORE-specific options that are specified in the README.
sudo apt install debsigs
It also installs the debsig-verify
tool. See Verification.
Signing
To sign the content of a .deb
file and to integrate the signature(s) within the file, run debsigs
using its standard options and specifying the UID of the signing key.
Syntax:
Output:
- If successfully signed, there is no output.
- Otherwise, an error message is presented.
Examples:
In the following examples, we sign test.deb
using signkey1
from the signkeys
partition. Assume that signkey1
UID is e0c2f1b87de82d9
.
- The
mysignkeys
partition is one of many client's partitions, and the command is performed on behalf of the user by namesigner1
with password *******:debsigs --sign=origin -u e0c2f1b87de82d9 -p mysignkeys --user signer1 --password ****** test.deb
Tip
Use the --verbose
option to show the CORE command executed by debsigs
:*** Processing file test.db
RUNNING: ucl sign -i /dev/stdin --out-format PGPPretty Good Privacy - PKI implementation-ARMOR -hash SHA256 -u e0c2f1b87de82d9.
Archive signed successfully
Verification
To verify the signature of the Debian package, use the debsig-verify
command.
Debsig Verify Infrastructure
Examine the infrastructure in use by the tool. You will be using the specified directories and namespaces.
Debsig Verify Preparation
Perform the following steps:
- Use Export PGP Public Key to obtain the public key of the certificate in PGP
Pretty Good Privacy - PKI implementation file format. The export command requires the following parameters:
ucl export -n signkey1 -f PGP -o signkey1.pgp -p mysignkeys --user signer1 --password ******
- Obtain its PGP
Pretty Good Privacy - PKI implementation Key ID.
- Use the
keyId
in naming the following policy and keyring folders according to the paths detected in Debsig Verify Infrastructure: - Import
signkey1.pgp
into the new keyring and name itdebsig.gpg
: - Create the
debsig.pol
file in the folder/etc/debsig/policies/2CBDEBD7B3B59588
gpg --list-packets signkey1.pgp | grep keyid
keyid: 2CBDEBD7B3B59588
sudo mkdir /usr/share/debsig/keyrings/2CBDEBD7B3B59588
sudo mkdir /etc/debsig/policies/2CBDEBD7B3B59588
Note
Replace <Policy xmlns="https://www.debian.org/debsig/1.0/"> according to the
Signature Namespace - https://www.debian.org/debsig/1.0/ that was detected in Debsig Verify Infrastructure.
In particular, for debsig-verify release 0.17 and earlier, use
<Policy xmlns="http://www.debian.org/debsig/1.0/">
Verification
Run the verification command:
debsig-verify -v test.deb
debsig: Starting verification for: test.deb
debsig: Using policy directory: /etc/debsig/policies/2CBDEBD7B3B59588
debsig: Parsing policy file: /etc/debsig/policies/2CBDEBD7B3B59588/debsig.pol
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
debsig: Selection group(s) passed, policy is usable.
debsig: Using policy file: /etc/debsig/policies/2CBDEBD7B3B59588/debsig.pol
debsig: Checking Verification group(s).
debsig: Processing 'origin' key...
debsig: Verification group(s) passed, deb is validated.
debsig: Verified package from 'UnboundTech' (test)
Troubleshooting
No applicable policy found:
debsig-verify -v test.deb
debsig: No applicable policy found.
Rerun the command with the debug flag and follow the instructions. For example:
debsig-verify -d test.deb
debsig: 3: policy name space != https://www.debian.org/debsig/1.0/
debsig: parsePolicyFile: 1 errors during parsing, failed
debsig: No applicable policy found.
Action:
Fix the <Policy xmlns=
> value in the debsig.pol
file to the one specified in the debug output.