How to verify deb packages before installing ?

[nipil]

Hello

I am (for once !) trying to validate the signatures the deb packages provided in the releases.

It may be well-known but there are no explanations in the release page, and no checksums for the packages.

Could anyone point me in the right direction ?

Nicolas

[felixfontein]

That's a good question. I think the .deb file is not signed, and neither are the .rpm files, so there is no way to validate signatures for them. @getsops/maintainers am I missing something?

I think this is something we have to change. According to https://goreleaser.com/customization/nfpm/ goreleaser supports this, but for that we somehow need a GPG signing key for that which needs to be available to the release automation. That doesn't look like a good idea to me.

Does anyone know how other CNCF projects are doing this?

[er0k]

The linux packages are checksummed in the release workflow. The checksums are base64 encoded and sent to the SLSA generator for provenance. If you decode the subjects, you can find the checksums for the debian packages (these are for the v3.9.0 release):

$ base64 -d subjects.txt | grep deb
c382d0ba899f119840a8cdcc1797f1af9d46e89ec1886bf28de36c0b17867920  sops_3.9.0_arm64.deb
8aee355e3ded54d3421f245dd4ea3352f4849a0c409ce15b51529979256749ca  sops_3.9.0_amd64.deb

You can then find the checksum of the file you downloaded to verify they are the same:

$ sha256sum sops_3.9.0_amd64.deb
8aee355e3ded54d3421f245dd4ea3352f4849a0c409ce15b51529979256749ca  sops_3.9.0_amd64.deb

I'm not sure why these checksums aren't included in the sops-v3.9.0.checksums.txt release artifact 🤷