Package Signature Validation

Instructions for how to check our package signatures.

The problem with package signatures#

Debian and derivatives (including Ubuntu) do a poor job (read: none) at checking the signatures of the packages themselves. SecureApt is only signing the repository manifest and the repository manifest contains hashes for all of the packages which are part of a release.

Nonetheles, we sign all of the packages which we include in our repository using dpkg-sig. So, for the paranoids out there (which is factory settings for seasoned security professionals), there’s a digital signature to indicate that the package build happened under our control.

Import key in user’s keyring#

dpkg-sig is unable to check the signature against a non-standard keyring i.e --gpgoptions doesn’t work in conjuction with --verify. Therefore a user’s keyring must be used. Note that this user doesn’t need to be privileged or have sudo access.

# from keybase
curl 'https://keybase.io/mrstaker/pgp_keys.asc?fingerprint=C8FF9465DC43E057F5D592EEC190D4B4328516A1' | gpg --import

# the public key for C8FF9465DC43E057F5D592EEC190D4B4328516A1
# is also available as PEM-format export
# you must install staker-repo for this though
gpg --import /etc/staker-repo/release-signing-key-2023.gpg.pem

Check package signature#

curl -LO https://deb.staker.ltd/pool/main/s/staker-repo/staker-repo_23.04.01_amd64.deb
dpkg-sig --verify staker-repo_23.04.01_amd64.deb
Processing staker-repo_23.04.01_amd64.deb...
GOODSIG _gpgbuilder C8FF9465DC43E057F5D592EEC190D4B4328516A1 1681169439

The output of the dpkg-sig --verfiy is structured as follows:

• GOODSIG - indicates the obvious.
• _gpgbuilder - signed by the builder role (i.e subtract the _gpg prefix).
• C8FF9465DC43E057F5D592EEC190D4B4328516A1 - the signing key fingerprint.
• 1681169439 - signature timestamp (UNIX time).