feat: implement dpkg-sig Package signing

[SasSwart]

As mentioned here Debsign package verification is a PITA.

Herewith my proposal to implement dpkg-sig style package verification.
As mentioned in the original thread, debsign and dpkg-sig are mutually exclusive, but it would be nice to be able to choose between them.

[SasSwart]

I noticed an issue with how I'm populating the template.
I'm converting the PR to draft for the moment so I can fix that.

[SasSwart]

Template issue fixed.
Ready for review

[codecov]

Codecov Report

Merging #508 (a8e8767) into main (dcf239f) will decrease coverage by 0.12%.
The diff coverage is 61.01%.

@@            Coverage Diff             @@
##             main     #508      +/-   ##
==========================================
- Coverage   66.12%   66.00%   -0.13%     
==========================================
  Files          16       16              
  Lines        1916     2021     +105     
==========================================
+ Hits         1267     1334      +67     
- Misses        510      537      +27     
- Partials      139      150      +11     

Impacted Files	Coverage Δ
nfpm.go	86.50% <ø> (ø)
internal/sign/pgp.go	63.93% <48.21%> (-6.94%)	⬇️
deb/deb.go	71.21% <72.58%> (+1.05%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dcf239f...a8e8767. Read the comment docs.

[caarlos0]

Hey! Thanks for the pr! I wonder if we can leave only the new method and remove the deprecated one? Does latest debian supports the new one already? Any major distribution that doesn't?

[SasSwart]

Howdy,

I'm not sure at all. At the very least that would be a breaking change for any nfpm users that have adopted debsign.
I would vote for adding this method and consulting the wider community and contributors before making the decision to remove debsign.

[SasSwart]

While fixing the linting issues, I discovered some more problems with the template I'm using.
I'll prepare a fix tonight.

[SasSwart]

I have fixed the linting issue and added some more configs. All tests, linting etc. should now pass.

I've also done some more reading and I am convinced that the other signing method will have to be kept.
It still is the default method supported by dpkg.
That being said, I'm pretty sure neither are used much.

Debian/Apt seem to depend far more on signing the Release files in their repositories than they depend on signing packages themselves. Packages are usually only signed when distributed without a repository. Even in those cases, the big names like Microsoft seem not to bother with signing the package that is available for download. See https://code.visualstudio.com/ for an example.

Debian's package building depends pretty heavily on Source packages, which have their own detached control file (called a .dsc file) which is signed. None of this is as yet supported by nfpm.

I have seen another issue in this repository about supporting Debian source packages. The response seems to have been that you do not think that belongs within the purview of nfpm.

I disagree with this. I think there is a way that we can reasonably support building source packages. I'll attempt a PR and submit one if its possible.

My source for most of the above:
https://debian-handbook.info/browse/stable/sect.source-package-structure.html

[caarlos0]

I have seen another issue in this repository about supporting Debian source packages. The response seems to have been that you do not think that belongs within the purview of nfpm.

I think it was rpm source packages... tbh I'm not sure where it belongs, or if we should implement it...

[caarlos0]

Thanks, adding some stuff on #515 if you wanna check it out