search

jellyfin / jellyfin-ffmpeg

FFmpeg for Jellyfin
https://jellyfin.org
Other
432 stars 115 forks source link

Currently It Appears DEB Files Are Not Being Signed (Nor Are Changes Files Or DSC Files) #376

Closed thegranddesign closed 2 months ago

thegranddesign commented 2 months ago

Describe The Bug

Currently the DEB file is failing verification. It's been a while but based on my install scripts that I used, I'm fairly certain that the DEB file used to verify. The issue is that the DEB file itself is not being signed.

The solution is to add a step to the build process that runs something like:

debsigs --sign=origin -k 49023CD01DE21A7B <jellyfin_deb_file>.deb

This will add a file to the DEB file that includes a signature.

Steps To Reproduce

  1. Install the public key to /usr/share/debsig/keyrings/49023CD01DE21A7B/debsig.gpg
  2. Install the debsig policy file to /etc/debsig/policies/49023CD01DE21A7B/debsig.pol
  3. Run debsig-verify ./<jellyfin_deb_file>.deb

Example debsig.pol file:

<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
  <Origin Name="Jellyfin" id="49023CD01DE21A7B" Description="Jellyfin Media Server"/>
    <Selection>
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Selection>
    <Verification MinOptional="0">
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Verification>
</Policy>

Actual Behavior

Message stating:

Origin Signature check failed. This deb might not be signed.

Expected Behavior

I expect that there will be a message stating that the DEB file is valid.

System (please complete the following information):

Additional Information:

It should also be straightforward to sign the .changes and .dsc files as well which would be useful for others. Although for my purposes I only really care about verifying the actual DEB that I'm going to install directly.

thegranddesign commented 2 months ago

Wrong repo