NAMEdpkg-sig - Debian package archive (.deb) signature generation and verification tool
DESCRIPTIONThis is the description of the source code, trying to help people to understand how dpkg-sig works.
SYNOPSIS\@file_info = sign_deb ($signing_role, $file) Does everything needed to add a signature to $file: * Verifies existing signatures * Creates the meta-data that is actually signed * Calls gpg to sign the meta-data. * Adds the signature to $file Returns a reference to an array containing the new md5sum, the new size and the name of the signed deb. $signature_name = write_deb_info ($signing_role, $file) Creates a digests.asc file with the meta-data of $file in dpkg-sig's tempdir: * Gets the needed information from $file * Chooses the name of the signature * Writes a file in a RFC822-like format containing the meta-data Returns the name that should be used to add the file to the deb. sign_hashes ($file) Signs a .dpkg-sig-hashes $file containing the digests of a deb/changes file: * Checks the .dpkg-sig-hashes file to see if it really was created by us * Creates a new archive, containing the old control file * Signs the digests and adds the clearsigned data to the the new archive * Substitutes the old file by the new, signed one. @changed_files = write_signature ($file) Adds the signatures from a signed .dpkg-sig-hashes $file to the signed debs: * Checks the .dpkg-sig-hashes file to see if it really was created by us * Tries to find out where we find the debs that have sigs in the .dpkg-sig-hashes * Checks if the debs were changed since they were signed * Adds signatures from the .dpkg-sig-hashes file to the debs * If needed, it corrects the changes file to reflect the new sizes/md5sums of the debs Returns the pathes of the debs that were changed. @output = verify_deb ($deb, $verify_pattern) Verifies all signatures in $deb with names matching $verify_pattern: * Gets the digests of all parts of $deb. * Skips all signatures that don't match $verify_pattern. * Writes the signatures to $tempdir/digests.asc. * Calls a function to check if $tempdir/digests.asc is valid in the v4 format, then tries v3 and v2. Returns its output. This is needed to achieve a "silent" verification when signing a deb. $verification_status = verify_deb_sig_v4 ($part_name, $part_number, \@digests, \@info, \@return) Verifies if $tempdir/digests is a valid (version 4) signature for the deb described with \@digests: * Calls gpg to verify the OpenPGP signature in $tempdir/digests.asc itself. * Parses the signature to get the digests that were actually signed * Compare the digests of the deb and those extracted from the signature to see if the deb was changed. * Check that the name in the ar archive matches the "Role" field in the signature. * DON'T check the Signer- and Date-Fiels. * Check that at least the digests for control.tar.gz, data.tar.gz and debian-binary were signed. Returns if the the signature is good, by an unknown key, or bad. $verification_status = verify_deb_sig_v3 ($part_name, $part_number, \@digests, \@info, \@return) Verifies if $tempdir/digests is a valid (version 3) signature for the deb described with \@digests: * Creates a file in $tempdir/digests that contains the signing role and the digests from the current deb. * Calls gpg to verify that the detached OpenPGP signature in $tempdir/digests.asc is valid for $tempdir/digests. Returns if the the signature is good, by an unknown key, or bad. $verification_status = verify_deb_sig_v2 ($part_name, $part_number, \@digests, \@info, \@return) Verifies if $tempdir/digests is a valid (version 2) signature for the deb described with \@digests: * Creates a file in $tempdir/digests that contains the digests from the current deb. * Calls gpg to verify that the detached OpenPGP signature in $tempdir/digests.asc is valid for $tempdir/digests. Returns if the the signature is good, by an unknown key, or bad. $sig_name = get_sig_name ($sig_name, \@parts, $deb) Tries to find a filename for the signature. Receives the role and constructs a name not already present in $deb. Returns the final name or dies if it wasn't possible to construct a name. correct_changes_file ($changes, \%new_deb_info) Receives a path to a changes file $changes and a hash reference \%new_deb_info containing new sizes and md5sums of debs in that changes file. It'll parse the changes file, replace the old values by the new ones. If the file is signed, the signature will be stripped (as it would be invalid anyway). \@new_file_info = add_part_to_ar_archive ($file, $new_data, $new_name) \@new_file_info = add_sig_to_deb ($file, $new_data, $new_name) Adds $new_data to $file as new ar archiv part, using $new_name as filename. If $file doesn't exist, a new ar archive is created. Returns the new md5sum and size of $file. @parts = get_ar_parts ($file) @parts = get_deb_parts ($file) Parses $file as ar archive and returns all filenames included in the archive. @debs = get_debs_from_changes ($file, \$changes_signed) Parses $file as Debian .changes file and returns all listed debs. The dirname of $file is prepended to the debs, which means that the returned URIs should exist. If $file is signed, $changes_signed is set to "yes". \@digests = get_deb_digests ($deb) Parses $deb and returns the meta-data of the included files. The read data is piped to md5sums and sha1sums, which create the respective digests. The digests, the filename and the size are put in an anymous array looking like this: [$name, $size, $sha1sum, $md5sum]. One of these arrays is pushed to @digests for every file in $deb. $md5sum = get_file_md5sum ($file) Returns the md5sum for $file. $part_data = get_archive_part ($archive, $part_name) Returns the content of $part_name in the ar archive $archive. @file_data = read_control_file ($file) Returns the content of $file as array with one line per element. @file_info = write_control_file ($file, \@data) Writes contents of \@data to $file. Returns new md5sum and size of $file. @files = glob_exp ($exp) Returns the result of globbing $exp as array. $file_readable = file_readable ($file) Returns a true value if $file is readable. @ssh_uri_parts = split_ssh_uri ($uri) Splits an ssh URI $uri into a $user, $host and $path part. @ssh_connection_info = get_ssh_connection ($user, $host) Opens a ssh connection to $host as user $user, directly calling dpkg- sig. It checks if the remote dpkg-sig is compatible to the current version and returns the $pid, the Read-Filehandle $readerfh and the Write-Filehandle $writerfh. sign_control_files ($changes_file) This works like debsign: Checks if a .dsc exists. If the .dsc should be signed, it tries to do so.. Writes the new .dsc with the new signature. Reads $changes_file and puts in the new size/md5sum of the .dsc. Signs $changes_file and write the signed copy back. sign_file ($in_file, $out_file, $no_detach) Signs $in_file with gpg and puts the detached signature in $out_file. If $no_detach is true, $out_file is a clearsigned copy of $in_file.
AUTHORdpkg-sig and this manpage were written by Andreas Barth und Marc Brockschmidt. They are Copyright (C) 2003, 2004 by them and released under the GNU General Public Licence version 2 or later; there is NO WARRANTY. See /usr/share/doc/dpkg-sig/copyright and /usr/share/common-licenses/GPL for details. DPKG-SIG(7)