Integrity checking

Debian Images

See Verifying authenticity of Debian CDs.

Source packages

This is the trick part. In theory, you could run just

dscverify *.dsc

Which would check if the signature was made for a key included in the debian-keyring package or if you have a verification path with the signing key.

In practice, it should always work for sources you download from the same Debian version you're running. But sources you download from newer versions might not work, depending basically if the maintainer's key is already on the debian-keyring you installed.

Using a newer debian-keyring package

You might want to try a newer debian-keyring package (for testing or unstable), which we haven't tested yet but can reduce a lot of complexity that follows.

Install manually debian-keyring somewhere

If not, you might try to have a newer copy of the debian-keyring somewhere. We already provide one in the a way for you to get the keyring directly from https://keyring.debian.org:

make keyring

We use --no-default-keyring to make sure gpg just looks for the key in the debian-maintainers keyring:

gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --verify *.dsc

You might also want to have the following on your ~/.devscripts (line break just to keep formatting here):

DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
                    /path/to/debian/keyring/keyrings/debian-keyring.gpg:/path/to/debian/keyring/keyrings/debian-maintainers.gpg"

Or you can use the following alias:

alias dscverify='dscverify --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --keyring /path/to/debian/keyring/keyrings/debian-maintainers.gpg'

Manually getting the key

Another option is to get the specific key:

gpg --recv-keys 12345678

Either way, you have to have a criteria about how much trust you should give to the keyring or the pubkey you just downloaded. The same goes for software you're porting to Debian and that you can't actually check it's signature against debian-keyring.

Issues with dpkg-source

Things get even trickier when you try to use dpkg-source. See Debian Bug report logs - #852019 gpgv: unknown type of key resource 'trustedkeys.kbx' for details.

Even if you merge both keyring/keyrings/debian-keyring.gpg keyring/keyrings/debian-maintainers.gpg into some file like keyring/keyrings/pubring.kbx, symlink it as keyring/keyrings/trustedkeys.gpg and point GNUPGHOME to this folder you'll still get a weird behavior:

0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1827  100  1827    0     0   2626      0 --:--:-- --:--:-- --:--:--  4911
dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2.orig.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 26055  100 26055    0     0  20738      0  0:00:01  0:00:01 --:--:-- 27455
dget: retrieving http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.debian.tar.xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2892  100  2892    0     0   4183      0 --:--:-- --:--:-- --:--:--  8078
ruby-childprocess_0.5.2-1.dsc:
      Good signature found
   validating ruby-childprocess_0.5.2.orig.tar.gz
   validating ruby-childprocess_0.5.2-1.debian.tar.xz
All files validated successfully.
gpgv: Signature made Seg 28 Abr 2014 18:03:27 BRT using RSA key ID 39CD217A
gpgv: Impossível verificar assinatura: chave pública não encontrada
dpkg-source: warning: failed to verify signature on ./ruby-childprocess_0.5.2-1.dsc
dpkg-source: info: extracting ruby-childprocess in ruby-childprocess-0.5.2
dpkg-source: info: unpacking ruby-childprocess_0.5.2.orig.tar.gz
dpkg-source: info: unpacking ruby-childprocess_0.5.2-1.debian.tar.xz
0 $

What happened here is that dscverify honoured our custom configuration above while dpkg-source is still relying on the one available in the debian-keyring package.

Even if you remove the debian-keyring package, it will still fallback to your $HOME/.gnupg/trustedkeys.gpg which you don't really want to fill with keys you actually haven't stablished a proper trust relationship.

As currently dpkg-source doesn't honour GNUPGHOME (see TODO for bugreport), all we can do currently is call dget and dpkg-source with

HOME=/path/to/debian/keyring/ dpkg-source -x $package*dsc
HOME=/path/to/debian/keyring/ dget <remote-dsc>

For this trick to work, you'll need to run

make keyring

Again, you might set two handy aliases for your shell:

alias dpkg-source='HOME=/path/to/debian/keyring/keyrings/ dpkg-source'
alias dget='HOME=/path/to/debian/keyring/keyrings/ dget'

Optionally, as a last touch, import your own key into this keyring:

gpg --armor --export $KEYID | \
gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/.gnupg/trustedkeys.gpg --import

Then you might be happy... for a while :P

See also:

• dscverify(1) manpage.
• Debian Public Key Server and it's workflow.
• apt get - How to get apt-get source verification working? - Super User.
• Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault.