Hi, On Sun, 2008-04-27 at 12:44:31 +0200, Robert Millan wrote: > Package: dpkg > Version: 1.13.25 > Severity: wishlist > Tags: patch > > This is an incomplete patch for implementing a --verify option. I'd like > to receive feedback before completing it, to make sure you're comfortable > with this approach. > > The problem I find is, that there's no way to actually verify signatures > with the current scheme. Given a .deb, dpkg will only verify the signature > (and fail when it is invalid) if a signature is found. So you can defeat > this security scheme by simply feeding a .deb without any signature, and > dpkg will happily process it.
I think you can specify a debsig-verify policy that will fail if there's no signature on a .deb package. And if no-debsig is not specified it should do what you want. > My proposal is that "--verify" forces dpkg to reject the deb unless a > signature is found (and is valid). > > The only complication was making this coexist with current behaviour > (checking for signature when one is found, even if it wasn't requested, > etc). I think the attached patch archieves this. Please let me know if > it looks good so I can complete it and test it properly. The intention I read from your patch is that you want to force the failure if you've specified to verify and either debsig-verify failed or it was not present. And not the case where there's no signature in the .deb package, as dpkg itself does not get that information. regards, guillem -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
