Sign with Debsigs

Enterprise

The debsigs format replaces the deprecated dpkg-sign format used in older versions of Debian and Debian-based operating systems, such as Ubuntu. For more information on debsigs, see the Debian debsigs documentation.

Instead of a dedicated debsigs package Signer, SignServer leverages OpenPGP Signer to generate signatures and SignWrapper-GPG to integrate those signatures into the DEB signing workflow.

The SignWrapper-GPG is a script that wraps SignClient and behaves like a gpg (GnuPG) command, allowing the standard debsigs tool to use signwrapper-gpg instead of gpg. Because Debian packages embeds signatures directly inside the package file, this scheme requires some logic on the client side: preparing the file, hashing it, and inserting the resulting signature into the Debian data structure.

The Signer uses OpenPGP public keys instead of X.509 certificates. The public key can instead be obtained from the Worker's status output. Additionally, the Generate CSR functionality lets you associate a User ID with the key and store it in the PGPPUBLICKEY property. When using RSA keys for Debian signing, this step is required to produce the correct key type.


Prerequisite: OpenPGP Signer Configured

In the Set up OpenPGP Signer, follow the steps to configure a OpenPGP Signer, add User ID and certification, and generate a revocation certificate.


Set up Debsigs for Signing using SignWrapper-GPG

The SignServer SignWrapper-GPG replaces the gpg (GnuPG) command in the DEB signing workflow by routing requests through SignClient.

Configure SignWrapper-GPG

To use SignWrapper-GPG together with debsigsit needs to know where SignClient is located. If signwrapper-gpg is not kept in the SignClient folder, set one of the following environment variables:

  • SIGNCLIENT_CMD: Set to the full path of the bin/signclient script, or

  • SIGNCLIENT_HOME or SIGNSERVER_HOME: Set to the root folder of the SignClient distribution.

Configure SignClient

Set the following environment variables so SignWrapper-GPG can connect to your SignServer instance:

Variable

Description

SIGNCLIENT_HOSTS

Value for the -hosts HOSTS SignClient parameter is the hostname or IP-address of the SignServer host or a comma separated list of hosts.

Example: signserver1.example.com

SIGNCLIENT_PORT

Value for the -port PORT SignClient parameter is the TCP port on the SignServer host to use.

Example: 8080

SIGNCLIENT_PARAMS

(Optional) Value for any extra parameters to put on the SignClient command line.

Example: -truststore TRUSTSTORE -truststorepwd PWD

Configure GPG Path

In order for debsigs to use SignWrapper-GPG instead of the native GPG tool, put signwrapper-gpg on the path “shadowing” the GPG command:

ln -s $SIGNSERVER_HOME/bin/signwrapper-gpg /opt/gpg
export PATH=/opt:$PATH

For more details on the command, see SignWrapper-GPG.


Sign a DEB Package

With the debsigs tool configured to use SignWrapper-GPG, sign a package using the standard debsigs command:

debsigs --sign=origin --default-key=OpenPGPSigner release.deb

Use the Worker name as the key identity.

When the command completes, the release.deb contains the embedded signature.

List signatures in the package:

debsigs --list release.deb

Verify the Signature

Use debsig-verify to verify the signature.

If the Signer's public key is not yet imported to the local GPG keyring, import it first:

  1. Save the public key (from PGPPUBLICKEY property) as signer001-pub.asc.

  2. Import the key to GPG keyring:

    gpg --import signer001-pub.asc
    

Add public key to debsigs policy:

gpg --list-public-keys
KEY_ID=`echo -n 78064687F8BEB17E5B188436D18D3718FAB9BDCD | cut -c25-` # extract last 16 characters as key ID (replace full ID string with correspoding output from --list-public-keys)
POL_DIR=/etc/debsig/policies/$KEY_ID
mkdir $POL_DIR

cat > $POL_DIR/my-app.pol << EOF
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">

  <Origin Name="Debsig" id="$KEY_ID" Description="Debsig testing"/>

  <Selection>
    <Required Type="origin" File="debsig.gpg" id="$KEY_ID"/>
  </Selection>

  <Verification MinOptional="0">
    <Required Type="origin" File="debsig.gpg" id="$KEY_ID"/>
  </Verification>

</Policy>
EOF

gpg --export 78064687F8BEB17E5B188436D18D3718FAB9BDCD > $KEY_DIR/debsig.gpg

Verify package signature:

debsig-verify release.deb

(Optional) Distribute the Public Key

The OpenPGP public key can be published to online key servers or distributed to clients by other means.