Signatures in Debian Binary Package

Although securing an package repository is a solved problem, there are still cases were it would be good/required to have additional signatures to be able to fully secure the chain of provenance.

Related to this is UntrustedDebs.

There are at least two main cases were we want additional signatures.

Signed .deb containers

This is required to be able to verify a standalone binary package.

These are already supported right now via the debsigs and debsig-verify packages, the latter of which is supported natively by dpkg.

There are some issues with the current implementation, and they packages with such signatures are currently rejected by the Debian archive.

Niels Thykier started such attempt about redesigning this in https://lists.debian.org/debian-dpkg/2012/06/msg00034.html. (FIXME: This needs to be included here, the spec finished, and then amend the current implementation.)

Ximin Luo has proposed recently, that to be able to easily support reproducible builds, one option would be to add a requirement that signature members must always be the last in the ar container. So that comparisons and hashing are made easier by truncating or partial reading the .deb.

Signed files shipped in a .deb

This is required to be able to verify the installed files, for example via the Linux IMA support.

Matthew Garrett has been working on this. (FIXME: Add links to presentations, mails, etc.)

This is pending adding support for the Teams/Dpkg/Spec/MetadataTracking.

Ximin Luo has also proposed recently, that to be able to easily support reproducible builds, the signatures included in the mtree, would get detached and moved into its own ar member, also required to be at the end of the ar container.

This new member could either be a general sigs member for the container and the data.tar files, or its own member.