Debian package signing - Githubissues

jordansissel / fpm

Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.

http://fpm.readthedocs.io/en/latest/

Other

11.11k stars 1.07k forks source link

Debian package signing #809

Open prof-milki opened 9 years ago

prof-milki commented 9 years ago

Just noticed that there is simple RPM signing support, but none yet for DEB packages.

In this case using dpkg-sig is certainly simpler than manual package/ar modification.
Simple patch:

  ::Dir.chdir(build_path) do
    safesystem("ar", "-qc", output_path, "debian-binary", "control.tar.gz", datatar)
+    if @attributes[:deb_sign]
+     safesystem("dpkg-sig", "-s", "builder", "-k", @attributes[:deb_sign], output_path)
+   end

And an additional flag:

+   option "--sign", "KEY", 
+     "Sign the resulting package with named GPG key."

(It might be interesting to consolidate it into a global --sign flag. Albeit not sure if that's feasible, since --rpm-sign is a boolean :flag, but the deb version requires a keyname string.)

anantshri commented 8 years ago

@jordansissel any chances you are implementing this.

neomatrix369 commented 6 years ago

Just curious if this feature has been implemented, we already have a rpm-sign something for debian would be cool too, similar to https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/

mnikhil-git commented 6 years ago

@bernd @jordansissel any chance taking a look at this? :-)

Chan9390 commented 6 years ago

@jordansissel Any updates ?

tnishimura commented 5 years ago

I just came upon this thread because I thought I needed to sign deb packages in order create an private package repository for ubuntu/debian. This is not the case -- Ubuntu at least does not sign nor verify signatures of packages. They sign and verify repos. Therefore, creating a 'signed' repo falls onto the repo-management tool you're using (aptly in my case).

jordansissel commented 5 years ago

Indeed. Debian packages can be signed, but i don’t see it much in the wild. That said, I would support signed deb support and am open to someone working on it.

On Fri, Feb 1, 2019 at 11:28 PM tnishimura notifications@github.com wrote:

I just came upon this thread because I thought I needed to sign deb packages in order create an private package repository for ubuntu/debian. This is not the case -- Ubuntu at least does not sign nor verify signatures of packages. They sign and verify repos. Therefore, creating a 'signed' repo falls onto the repo-management tool you're using (aptly in my case).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jordansissel/fpm/issues/809#issuecomment-459943528, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIC6oDPkTW0kvBlW0l-kxkeOSYUxL0Yks5vJT4PgaJpZM4C73mf .