Package: dpkg-sig Version: 0.13.1 Severity: normal There was recently a long discussion on this topic on debian-security, and Holger recommended that I summarized it in a bug report against dpkg-sig, so here goes:
dpkg-sig creates a signature that is embedded in the .deb file. So that means no matter how the .deb file got onto a system, that signature can be verified. I'm proposing to start making dpkg-sig a standard part of official .deb files. This can be done in stages to make it manageable. Here's a rough idea of that: 1. Adding a 'builder' signature should be easy to start with, make `debsign` also run `dpkg-sig --sign builder` on any .deb files it finds. I believe that `dpkg -i` will already try to verify a signature if it exists. 2. add something like `dpkg --require-debsig` to force checking of the dpkg-sig signature. This would be optional to start with, and complimentary to the already existing `dpkg --no-debsig`. 3. make `dpkg-buildpackage` call `dpkg-sig --sign builder --sign-changes full` to sign packages. 4. etc. Here is one real problem this addresses: * TAILS is a Debian-based live CD * the core system image by definition cannot be modified (live CD) * it has a persistent storage feature on a USB thumb drive * it also can save apt cache/lib to that persistent store * it automatically installs packages on boot from that store * mostly people use TAILSin online mode * there is a fully offline mode in development * offline TAILS cannot verify the packages if apt lists are >2 weeks * updating the apt cache/lib is painful on an offline machine * an offline machine's threat model is drastically simpler On top of all that, each update increases risk of compromise on offline machines because each new update provides a vector to run a script or introduce new code that otherwise does not exist (no network!). Other people want to be able to directly download .deb packages and have then verified as part of the install process. This is not my primary concern, but I do think it is a valid one. It would also be addressed by fully support of dpkg-sig. Looking at other distros, Fedora has signed RPMs. Arch's package manager has had a feature to enable SignedOnly packages for a while now: https://wiki.archlinux.org/index.php/DeveloperWiki:Package_signing The whole thread on debian-security is here: https://lists.debian.org/debian-security/2014/07/msg00022.html .hc
signature.asc
Description: OpenPGP digital signature
