Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Issue]: DEB Files Are Not Being Signed (Nor Are .changes Or .dsc Files) #14

Closed
1 task done
thegranddesign opened this issue Apr 11, 2024 · 5 comments
Closed
1 task done

[Issue]: DEB Files Are Not Being Signed (Nor Are .changes Or .dsc Files) #14

thegranddesign opened this issue Apr 11, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@thegranddesign
Copy link

Please describe your bug

Currently the DEB file is failing verification. It's been a while but based on my install scripts that I used, I'm fairly certain that the DEB file used to verify. The issue is that the DEB file itself is not being signed.

The solution is to add a step to the build process that runs something like:

debsigs --sign=origin -k 49023CD01DE21A7B <jellyfin_deb_file>.deb

This will add a file to the DEB file that includes a signature.

It should also be straightforward to sign the .changes and .dsc files as well which would be useful for others. Although for my purposes I only really care about verifying the actual DEB that I'm going to install directly.

Reproduction Steps

  1. Install the public key to /usr/share/debsig/keyrings/49023CD01DE21A7B/debsig.gpg
  2. Install the debsig policy file to /etc/debsig/policies/49023CD01DE21A7B/debsig.pol
  3. Run debsig-verify ./<jellyfin_deb_file>.deb

Example debsig.pol file:

<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
  <Origin Name="Jellyfin" id="49023CD01DE21A7B" Description="Jellyfin Media Server"/>
    <Selection>
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Selection>
    <Verification MinOptional="0">
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Verification>
</Policy>

Actual Behavior

Message stating:

Origin Signature check failed. This deb might not be signed.

Expected Behavior

I expect that there will be a message stating that the DEB file is valid.

Jellyfin Version

10.8.13

if other:

No response

Environment

- OS: Linux (Ubuntu)
- Linux Kernel: N/A
- Virtualization: N/A

Jellyfin logs

N/A

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@thegranddesign thegranddesign added the bug Something isn't working label Apr 11, 2024
@jellyfin-bot
Copy link

Hi, it seems like your issue report has the following item(s) that need to be addressed:

  • The format of the environment section has been altered from the template.

This is an automated message, currently under testing. Please file an issue here if you encounter any problems.

@felix920506
Copy link
Member

Looks like issue with Packaging / CI
cc @joshuaboniface

@crobibero crobibero transferred this issue from jellyfin/jellyfin Apr 11, 2024
@joshuaboniface
Copy link
Member

We've never signed our .deb files in the past as far as I'm aware.

It's certainly something we can start doing though. I'll look into it.

@joshuaboniface
Copy link
Member

Implemented!

@thegranddesign
Copy link
Author

My monthly donations put to good use! ❤️ Thank you so much!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Jellyfin - Triage Board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joshuaboniface @thegranddesign @felix920506 @jellyfin-bot