Am Mittwoch, den 12.10.2005, 13:04 +0200 schrieb Daniel Leidert:
> It seems you forgot to fix the $signcmd-default in debarchiver.conf and
> in debarchiver.pl. Both only contain the path, not the executable. And
> you did not include my proposed paragraph for $gpgpassfile in
> debarchiver.conf.
I see, I did not include this paragraph in any mail. My fault.
> You should at least fix the $signcmd variable in both
> mentioned files. I'm going to fix the READMEs to mention the right way
> to create signed Release files. If you want to wait with 0.5.2 until
> this is ready, I will go to fix the forgotten issues, so you don't have
> to.
I attached a patch and a file to this mail.
The patch contains:
- fix for the $signcmd-issues
- fix for debarchiver.conf (signcmd default and gpgpassfile info)
- updates to all old FSF addresses
- fix to include README.gnupg instead of README.dscverify
The other attached file is README.gnupg, which is thought to _replace_
README.dscverify. You will see, that it contains all infos from
README.dscverify, but also all new infos for enabling the automatic
archive signing feature.
Please check the attached files and tell me your opinion.
Regards, Daniel
Index: debian/debarchiver.docs
===================================================================
--- debian/debarchiver.docs (Revision 2146)
+++ debian/debarchiver.docs (Arbeitskopie)
@@ -1,4 +1,4 @@
README
TODO
-README.dscverify
+README.gnupg
README.repository
Index: debian/copyright
===================================================================
--- debian/copyright (Revision 2146)
+++ debian/copyright (Arbeitskopie)
@@ -18,5 +18,6 @@
You should have received a copy of the GNU General Public License with
your Debian GNU/Linux system, in /usr/share/common-licenses/GPL, or with
the debarchiver source package as the file COPYING. If not, write to the Free
- Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- 02111-1307, USA.
+ Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301, USA.
+
Index: conf/debarchiver.conf
===================================================================
--- conf/debarchiver.conf (Revision 2146)
+++ conf/debarchiver.conf (Arbeitskopie)
@@ -20,7 +20,7 @@
# The command to use for siging files. Used for Release files.
# This command take four arguments input file, output file, key and optionally
# a file with a password.
-# $signcmd = "/usr/lib/debarchiver/signhelper";
+# $signcmd = "/usr/lib/debarchiver/signhelper/signhelper.sh";
# Generate bzip2 files or not (1 will generate and 0 will not do so).
# $bzip = 0;
@@ -77,4 +77,6 @@
# $gpgkey = "";
# File to provide password to GnuPG.
+# If you use a key with an empty passphrase, set this variable to 0 or "".
+# If the file does not exist, debarchiver will also fall back to "".
# $gpgpassfile = "$ENV{HOME}/.gnupg/passphrase";
Index: src/debarchiver.pl
===================================================================
--- src/debarchiver.pl (Revision 2146)
+++ src/debarchiver.pl (Arbeitskopie)
@@ -25,7 +25,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA.
#
###############################################################################
############################# USES ############################################
@@ -57,6 +58,8 @@
# by some perl module but this solution was good enough.
# 2005-10-11 Daniel Leidert <[EMAIL PROTECTED]>
# Removed fix regarding $gpgpassfile (moved to checks below).
+# 2005-10-12 Daniel Leidert <[EMAIL PROTECTED]>
+# Fix signcmd default.
$copycmd = "cp -af";
$rmcmd = "rm -f";
@@ -73,7 +76,7 @@
$verifysignatures = 0;
$verifysignaturesdistinput = 0;
$userconfigfile = "$ENV{HOME}/.debarchiver.conf";
-$signcmd = "/usr/lib/debarchiver/signhelper";
+$signcmd = "/usr/lib/debarchiver/signhelper/signhelper.sh";
$bzip = 0;
$gpgpassfile = "$ENV{HOME}/.gnupg/passphrase";
Index: src/signhelper.sh
===================================================================
--- src/signhelper.sh (Revision 2146)
+++ src/signhelper.sh (Arbeitskopie)
@@ -15,7 +15,8 @@
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA.
#
#
# Changelog:
Index: COPYING
===================================================================
--- COPYING (Revision 2146)
+++ COPYING (Arbeitskopie)
@@ -2,7 +2,7 @@
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
@@ -305,7 +305,7 @@
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Also add information on how to contact you by electronic and paper mail.
Index: README.repository
===================================================================
--- README.repository (Revision 2146)
+++ README.repository (Arbeitskopie)
@@ -122,10 +122,10 @@
own - what you prefer.
Be aware of the following problem: If you decided to enable signature checking
-for incoming packages (see README.dscverify), then you maybe have user
+for incoming packages (see README.gnupg), then you maybe have user
directories (.gnupg) and user files (.bash_history, .devscripts) in
/var/lib/debarchiver. Use the above rules to forbid access OR change the
-archive-dir or thehome-dir for debarchiver (see README.dscverify), which is the
+archive-dir or the home-dir for debarchiver (see README.gnupg), which is the
cleaner solution.
@@ -191,3 +191,4 @@
The above file is only an example which will show the packages in Sid.
Feel free to customize it and enjoy the possibilities of this famous script.
+
Index: README
===================================================================
--- README (Revision 2146)
+++ README (Arbeitskopie)
@@ -50,9 +50,16 @@
Dependent on your decision (see $verifysignatures, $verifysignaturesdistinput,
$vrfycmd) debarchiver checks the signature of uploaded packages. Unsigned
packages (except binary-only packages without a .changes file) will be rejected
-if verification is enabled. See README.dscverify for how to enable signature verification.
+if verification is enabled. See README.gnupg for how to enable signature verification.
+Archive signing:
+----------------
+
+See README.gnupg for infos on how to enable the creation of a signed Release
+files.
+
+
Multiple archives:
------------------
@@ -83,6 +90,7 @@
of the information in the configuration file. More exact information is
available there.
+
non-US:
-------
@@ -114,5 +122,6 @@
You should have received a copy of the GNU General Public License with
the debarchiver source package as the file COPYING. If not, write to the
-Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-02111-1307, USA.
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301, USA.
+
DocumentId $Id$
Author $Author$
Date $Date$
Version $Revision: 1.1 $
Summary
Read this file to get some information on how to enable (GnuPG)
signature verification and automatic archive signing.
1. Change home directory for user debarchiver (optional)
2. Create GnuPG infrastructure
3. Enable GnuPG signature verification
4. Create a primary key
5. Create an archive signing key
6. Enable GnuPG archive signing
7. Clean-up
8. Known problems
($ means user-shell, # means root-shell)
1. Change home directory for user debarchiver (optional):
---------------------------------------------------------
This first point is optional, but it is based on my experiences. The thoughts:
We will create a .gnupg sub-directory and the devscripts config file
.devscripts in debarchiver's home directory. Now it is possible, that you make
your repository public (read README.web). Maybe you share my opinion, that
guests looking at your website should not have access to these files. There
are 3 ways to prevent them to access .gnupg or .devscripts:
- see README.repository for entry to make in httpd.conf/vhosts.conf or
don't make /var/lib/debarchiver public
- move your repository into a sub-directory of /var/lib/debarchiver (e.g.
/var/lib/debarchiver/archive) and make this sub-directory public
# cd /var/lib/debarchiver
# mkdir archive
# mv dists archive/
# mv incoming archive/
# vi /etc/debarchiver.conf
-> fix '$destdir' and '$inputdir'
- change the home directory for debarchiver to e.g. /home/debarchiver
# mkdir /home/debarchiver
# chown debarchiver.debarchiver /home/debarchiver
# usermod -d /home/debarchiver debarchiver
I prefer the last alternative, because this is IMHO the cleanest solution. But
decide at your own.
2. Create GnuPG infrastructure:
-------------------------------
First, we will give debarchiver temporary access to /bin/bash and login as
debarchiver:
# chsh -s /bin/bash debarchiver
# su debarchiver
$ cd ~
The next step creates the GnuPG infrastructure (maybe you need to run this
command twice):
$ echo -n "" | gpg
Optional, but recommended: Comment out all keyservers in
~debarchiver/.gnupg/gpg.conf.
Now we have the necessary infrastructure and we can begin to import keys:
$ gpg --no-default-keyring --keyring uploaders.gpg \
--import <keyfile>
or
$ gpg --no-default-keyring --keyring uploaders.gpg \
--keyserver <server> --recv-keys <key ID>
Now we need to make dscverify recognize our keyring uploaders.gpg:
$ cp /etc/devscripts.conf ~/.devscripts
$ vi .devscripts
-> uncomment DSCVERIFY_KEYRINGS and add our keyring:
DSCVERIFY_KEYRINGS="~/.gnupg/uploaders.gpg"
[save&exit]
A first test will show, if everything works as expected. Therefor upload a
signed package into $incomingdir and run dscverify. The output should be:
$ dscverify <package>.changes
<package>.changes:
Good signature found
validating <package>.dsc
Good signature found
validating <package>.orig.tar.gz
validating <package>.diff.gz
validating <package>.deb
All files validated successfully.
3. Enable GnuPG signature verification:
---------------------------------------
To enable the verification of signed package files:
# vi /etc/debarchiver.conf
-> $vrfycmd = "dscverify";
-> $verifysignatures = 1;
-> $verifysignaturesdistinput = 1;
[save&exit]
Now you should test your repository and upload a signed package.
If you're only using GnuPG signature verification, you can stop here and go to
7. Clean-ups.
4. Create a primary key:
------------------------
NOTE: You don't want to use this key to sign the Release files. We will
create the archive signing key one step later.
NOTE: You can skip this step if you are running debarchiver on your own
account and if you already have a primary key.
$ gpg --gen-key
5. Create an archive signing key:
---------------------------------
To sign an archive (the Release files) as written in 'man apt-secure' and
http://www.debian.org/doc/manuals/securing-debian-howto/ch7#s7.4.1, we will
need to create a GnuPG key-pair and tell debarchiver to use this key (and
passphrase) to sign our archive (see 6.).
$ gpg --gen-key
The passphrase (if existent) needs to stored in a file, which is set to
permissions 0600. Of course this violates traditional practice. But there is
no other way of an automatic Release signing mechanism. The default file
is ~/.gnupg/passphrase.
$ touch ~/.gnupg/passphrase
$ chmod 600 ~/.gnupg/passphrase
$ vi ~/.gnupg/passphrase
-> Enter passphrase
[save$exit]
6. Enable GnuPG archive signing:
--------------------------------
To enable automatic archive signing:
# vi /etc/debarchiver.conf
-> uncomment $signcmd
$signcmd = "/usr/lib/debarchiver/signhelper/signhelper.sh";
-> $gpgkey = "MY_ARCHIVE_SIGNING_KEY";
(replace MY_ARCHIVE_SIGNING_KEY with the appropriate value)
-> $gpgpassfile = "$ENV{HOME}/.gnupg/passphrase";
(only if you use a key with a non-empty passphrase, the file
above is the default value -> adjust it if necessary)
-OR-
$gpgpassfile = ""; -OR- $gpgpassfile = 0;
(for an empty passphrase)
Next time debarchiver is run, it will create Release.gpg files. In this case,
you should upload your public archive signing key to a server to make it
available to the public.
7. Clean-up:
-----------------
If everything works, we are ready to continue. Logout from debarchiver shell:
$ exit
We can now remove the access to /bin/bash for debarchiver:
# chsh -s /bin/false debarchiver
Optional: Remove .bash_history and .viminfo from ~debarchiver/
# rm ~debarchiver/.bash_history ~debarchiver/.viminfo
8. Known problems:
------------------
If you changed the home-directory for debarchiver, it sometimes can happen,
that it will still not work. In this case make sure, that you followed all
steps as described above and then run:
# usermod -d /var/lib/debarchiber debarchiver
# usermod -d /home/debarchiver
Now it should work.
In every other cases: Make sure, that you followed all steps as described
above.
