[debhelper-devel] Bug#766267: debhelper: add file signature support in .deb packages

Mimi Zohar zohar at linux.vnet.ibm.com
Tue Oct 21 20:34:34 UTC 2014

Package: debhelper
Version: 9.20131227ubuntu1
Severity: wishlist

Dear Maintainer,

This is a request for adding file signatures in .deb packages and for
installing those signatures as 'security.ima' extended attributes
at package install time.  The existing md5sums file contains the file
hash and name for each file included in the package, making it the
most logical place for storing file signatures.  This patch set
defines a new debhelper dh_checksums, based on dh_md5sums, to support
additional, larger digests.

Depending on the relationship of the build and signing server, the
signatures could either be included in the checksums files during the
package build process or post build, prior to uploading. Included in
this patch set is a sample script that opens the package, extracts
the checksums file, includes the file signatures, and inserts the
modified checksums file with the file signatures in the deb package.

To install the file signatures as 'security.ima' extended attributes,
this patch set defines the dh_installfile-sigs debhelper and the
postinst-file-sigs autoscript.  Although the checksums file should
contain signatures for all files, the autoscript currently installs
only the signatures for ELF files and scripts, making them "immutable"
on systems with IMA-appraisal enabled and configured in enforcing mode.

-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty'), (100, 'trusty-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.2+ (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages debhelper depends on:
ii  binutils     2.24-5ubuntu3
ii  dh-apparmor  2.8.95~2430-0ubuntu5
ii  dpkg         1.17.5ubuntu5.3
ii  dpkg-dev     1.17.5ubuntu5.3
ii  file         1:5.14-2ubuntu3.1
ii  man-db
ii  perl         5.18.2-2ubuntu1
ii  po-debconf   1.0.16+nmu2ubuntu1

debhelper recommends no packages.

Versions of packages debhelper suggests:
ii  dh-make  0.63

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Define-a-new-debhelper-dh_checksums.patch
Type: text/x-diff
Size: 4295 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debhelper-devel/attachments/20141021/e66d0a45/attachment-0006.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Define-a-new-debhelper-dh_installfile-sigs-and-posti.patch
Type: text/x-diff
Size: 2943 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debhelper-devel/attachments/20141021/e66d0a45/attachment-0007.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Include-sample-script-named-ima-signhashes.sh.patch
Type: text/x-diff
Size: 3310 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debhelper-devel/attachments/20141021/e66d0a45/attachment-0008.patch>

More information about the debhelper-devel mailing list