I found it extremely difficult to set up deb file signing and signature verification using debsigs and debsig-verify. There is an old HOWTO out there that is much-referenced, but does not work at least for contemporary versions of these tools.
I did ultimately get it to work, so I’m posting this question with my answer in case it helps others. Every individual challenge I ran into has solution out there somewhere after enough digging, but I couldn’t find anything that ties it all together into a process that works.
This is based on debsigs 0.1.26 and debsig-verify 1.20.9.
Background
After installing debsigs, you can find detailed info under /usr/share/doc/debsig-verify/, in:
policy-syntax.txtexamples/
Notes
debsig-verifyworks with packages signed bydebsigs, notdpkg-sig- The relevant directory names and command options imply that you use keyring files
- I couldn’t get that to work. One post I found said “they are keys, not keyrings.” That worked.
- XML namespace & dir structure in .pol file must match output of
debsig-verify --version- (be careful about http vs https)
- A gpg “key id” is the last 16 hextets of the key’s fingerprint
- This is the “short id,” and is indicated as insecure in some references
- I did not see any way to get
debsigsto use long key ids (last 32 hextets) - I couldn’t find a way to get gpg to give me a key id, and I found counting 16 chars to copy/past error-prone, so I used
cutin my solution.
HOWTO
# create key
gpg --full-generate-key
# follow prompts; for testing it's easier to use no passphrase
# add key for debsigs in KEY_ID dir
KEY_ID=`echo -n <key fingerprint> | cut -c25-`
echo -n $KEY_ID | wc -c # must be 16 chars
KEY_DIR=/usr/share/debsig/keyrings/$KEY_ID
mkdir $KEY_DIR
gpg --export $KEY_ID > $KEY_DIR/debsig.gpg # not ascii & not a keyring
# create XML policy
POL_DIR=/etc/debsig/policies/$KEY_ID
mkdir $POL_DIR
vi $POL_DIR/my-app.pol
# copy/paste example from /usr/share/doc/debsig-verify/examples/
replace example id= value w/ $KEY_ID
replace File= value with debsig.gpg
# sign package
debsigs --sign=origin --default-key=$KEY_ID my-app-2.1.0.deb
# You should be prompted for key's passphrase - if not, sort that out directly w/ gpg first
# if there is a KDE desktop running, the prompt may pop-up in the GUI in a dialog box
# verify package
debsig-verify --debug --verbose my-app-2.1.0.deb
# utility commands
# show signature in .deb
debsigs --list my-app-2.1.0.deb
# note: some debsigs versions (0.01.19) crash when signature starts with comment
# upgrade to newer version (0.1.26)
# show gpg packets from signature file
ar x my-app-2.1.0.deb _gpgorigin # extract the signature
gpg --list-packets _gpgorigin