search

jellyfin / jellyfin-packaging

Jellyfin Packaging and Build Workflows
GNU General Public License v3.0
16 stars 16 forks source link

[Issue]: DEB Files Are Not Being Signed (Nor Are .changes Or .dsc Files) #14

Closed thegranddesign closed 4 months ago

thegranddesign commented 5 months ago

Please describe your bug

Currently the DEB file is failing verification. It's been a while but based on my install scripts that I used, I'm fairly certain that the DEB file used to verify. The issue is that the DEB file itself is not being signed.

The solution is to add a step to the build process that runs something like:

debsigs --sign=origin -k 49023CD01DE21A7B <jellyfin_deb_file>.deb

This will add a file to the DEB file that includes a signature.

It should also be straightforward to sign the .changes and .dsc files as well which would be useful for others. Although for my purposes I only really care about verifying the actual DEB that I'm going to install directly.

Reproduction Steps

  1. Install the public key to /usr/share/debsig/keyrings/49023CD01DE21A7B/debsig.gpg
  2. Install the debsig policy file to /etc/debsig/policies/49023CD01DE21A7B/debsig.pol
  3. Run debsig-verify ./<jellyfin_deb_file>.deb

Example debsig.pol file:

<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
  <Origin Name="Jellyfin" id="49023CD01DE21A7B" Description="Jellyfin Media Server"/>
    <Selection>
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Selection>
    <Verification MinOptional="0">
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Verification>
</Policy>

Actual Behavior

Message stating:

Origin Signature check failed. This deb might not be signed.

Expected Behavior

I expect that there will be a message stating that the DEB file is valid.

Jellyfin Version

10.8.13

if other:

No response

Environment

- OS: Linux (Ubuntu)
- Linux Kernel: N/A
- Virtualization: N/A

Jellyfin logs

N/A

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

jellyfin-bot commented 5 months ago

Hi, it seems like your issue report has the following item(s) that need to be addressed:

This is an automated message, currently under testing. Please file an issue here if you encounter any problems.

felix920506 commented 5 months ago

Looks like issue with Packaging / CI cc @joshuaboniface

joshuaboniface commented 5 months ago

We've never signed our .deb files in the past as far as I'm aware.

It's certainly something we can start doing though. I'll look into it.

joshuaboniface commented 4 months ago

Implemented!

thegranddesign commented 4 months ago

My monthly donations put to good use! :heart: Thank you so much!!