Skip to content
Snippets Groups Projects

WIP: Add Debian (.deb) package signing

WIP: Add Debian (.deb) package signing
gitlab_omnibus-add-deb-signing into gitlab_omnibus
Closed Jason Plum requested to merge gitlab_omnibus-add-deb-signing into gitlab_omnibus

What

Add Debian package signing, via methodology describe in debsigs documentation https://gitlab.com/debsigs/debsigs

How

Addition of a sign_deb_file function to Packager::DEB, after create_deb_file. The essential concepts of what is required to sign a .deb with with a type: origin signature is delineated per the link to debsigs above. There is no current functionailty built into dpkg scripting akin to rpm --addsign. Since the .deb file format is simple, we extract the contents of the archvice (ar x), sign the concatenated (specifically ordered) contents, and then append the created signature to the archive (ar rc debfile _gpgorigin).

These steps could have been accomplished in pure Ruby with the addition of several modules (GPGME, libarchive) except for two concerns: age & maintenance, fakeroot requirements.

Tests have been added to attempt to cover the behavior correctly.

External Program Requirements

  • gpg : This is already an existing requirement of Packager::RPM due to the use of rpmsign
  • ar : Most systems that attempt to build Debian packages will have the ar command, and it has been confirmed that MacOS also has this utility.

Adding ar to the required tools compiled by Omnibus may be required.

Edited by Jason Plum

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply