Enterprise
The debsigs format replaces the deprecated dpkg-sign format used in older versions of Debian and Debian-based operating systems, such as Ubuntu. For more information on debsigs, see the Debian debsigs documentation.
Instead of a dedicated debsigs package Signer, SignServer leverages OpenPGP Signer to generate signatures and SignWrapper-GPG to integrate those signatures into the DEB signing workflow.
The SignWrapper-GPG is a script that wraps SignClient and behaves like a gpg (GnuPG) command, allowing the standard debsigs tool to use signwrapper-gpg instead of gpg. Because Debian packages embeds signatures directly inside the package file, this scheme requires some logic on the client side: preparing the file, hashing it, and inserting the resulting signature into the Debian data structure.
The Signer uses OpenPGP public keys instead of X.509 certificates. The public key can instead be obtained from the Worker's status output. Additionally, the Generate CSR functionality lets you associate a User ID with the key and store it in the PGPPUBLICKEY property. When using RSA keys for Debian signing, this step is required to produce the correct key type.
Prerequisite: OpenPGP Signer Configured
In the Set up OpenPGP Signer, follow the steps to configure a OpenPGP Signer, add User ID and certification, and generate a revocation certificate.
Set up Debsigs for Signing using SignWrapper-GPG
The SignServer SignWrapper-GPG replaces the gpg (GnuPG) command in the DEB signing workflow by routing requests through SignClient.
Configure SignWrapper-GPG
To use SignWrapper-GPG together with debsigsit needs to know where SignClient is located. If signwrapper-gpg is not kept in the SignClient folder, set one of the following environment variables:
-
SIGNCLIENT_CMD: Set to the full path of thebin/signclientscript, or -
SIGNCLIENT_HOMEorSIGNSERVER_HOME: Set to the root folder of the SignClient distribution.
Configure SignClient
Set the following environment variables so SignWrapper-GPG can connect to your SignServer instance:
|
Variable |
Description |
|---|---|
|
|
Value for the Example: |
|
|
Value for the Example: |
|
|
(Optional) Value for any extra parameters to put on the SignClient command line. Example: |
Configure GPG Path
In order for debsigs to use SignWrapper-GPG instead of the native GPG tool, put signwrapper-gpg on the path “shadowing” the GPG command:
ln -s $SIGNSERVER_HOME/bin/signwrapper-gpg /opt/gpg
export PATH=/opt:$PATH
For more details on the command, see SignWrapper-GPG.
Sign a DEB Package
With the debsigs tool configured to use SignWrapper-GPG, sign a package using the standard debsigs command:
debsigs --sign=origin --default-key=OpenPGPSigner release.deb
Use the Worker name as the key identity.
When the command completes, the release.deb contains the embedded signature.
List signatures in the package:
debsigs --list release.deb
Verify the Signature
Use debsig-verify to verify the signature.
If the Signer's public key is not yet imported to the local GPG keyring, import it first:
-
Save the public key (from
PGPPUBLICKEYproperty) assigner001-pub.asc. -
Import the key to GPG keyring:
gpg --import signer001-pub.asc
Add public key to debsigs policy:
gpg --list-public-keys
KEY_ID=`echo -n 78064687F8BEB17E5B188436D18D3718FAB9BDCD | cut -c25-` # extract last 16 characters as key ID (replace full ID string with correspoding output from --list-public-keys)
POL_DIR=/etc/debsig/policies/$KEY_ID
mkdir $POL_DIR
cat > $POL_DIR/my-app.pol << EOF
<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
<Origin Name="Debsig" id="$KEY_ID" Description="Debsig testing"/>
<Selection>
<Required Type="origin" File="debsig.gpg" id="$KEY_ID"/>
</Selection>
<Verification MinOptional="0">
<Required Type="origin" File="debsig.gpg" id="$KEY_ID"/>
</Verification>
</Policy>
EOF
gpg --export 78064687F8BEB17E5B188436D18D3718FAB9BDCD > $KEY_DIR/debsig.gpg
Verify package signature:
debsig-verify release.deb
(Optional) Distribute the Public Key
The OpenPGP public key can be published to online key servers or distributed to clients by other means.