-
-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement dpkg-sig Package signing #508
Conversation
I noticed an issue with how I'm populating the template. |
Template issue fixed. |
Codecov Report
@@ Coverage Diff @@
## main #508 +/- ##
==========================================
- Coverage 66.12% 66.00% -0.13%
==========================================
Files 16 16
Lines 1916 2021 +105
==========================================
+ Hits 1267 1334 +67
- Misses 510 537 +27
- Partials 139 150 +11
Continue to review full report at Codecov.
|
Hey! Thanks for the pr! I wonder if we can leave only the new method and remove the deprecated one? Does latest debian supports the new one already? Any major distribution that doesn't? |
Howdy, I'm not sure at all. At the very least that would be a breaking change for any nfpm users that have adopted debsign. |
While fixing the linting issues, I discovered some more problems with the template I'm using. |
I have fixed the linting issue and added some more configs. All tests, linting etc. should now pass. I've also done some more reading and I am convinced that the other signing method will have to be kept. Debian/Apt seem to depend far more on signing the Release files in their repositories than they depend on signing packages themselves. Packages are usually only signed when distributed without a repository. Even in those cases, the big names like Microsoft seem not to bother with signing the package that is available for download. See https://code.visualstudio.com/ for an example. Debian's package building depends pretty heavily on Source packages, which have their own detached control file (called a .dsc file) which is signed. None of this is as yet supported by nfpm. I have seen another issue in this repository about supporting Debian source packages. The response seems to have been that you do not think that belongs within the purview of nfpm. I disagree with this. I think there is a way that we can reasonably support building source packages. I'll attempt a PR and submit one if its possible. My source for most of the above: |
I think it was rpm source packages... tbh I'm not sure where it belongs, or if we should implement it... |
Thanks, adding some stuff on #515 if you wanna check it out |
As mentioned here Debsign package verification is a PITA.
Herewith my proposal to implement dpkg-sig style package verification.
As mentioned in the original thread, debsign and dpkg-sig are mutually exclusive, but it would be nice to be able to choose between them.