Signed upstream tarballs in Debian

by

In the past numerous file distribution servers were attacked and the attacker replaced a release tarball/zip with a modificated version including a backdoor. Usually the distributions use some kind of signatures to avoid such an attack against their own infrastructure but this doesn't include the initial retrieval of the source code from upstream (usually done through the tarballs).

In the near future Debian/Ubuntu/... will get support in uscan to check a tarball+.asc signature automatically against a predefined set of public keys stored in the .debian.tar.gz. It also looks like some people in Arch Linux are also interested in this problem. opensuse-factory even defined some steps how you should create the keyring of upstream keys.

Upstream would have to provide a detached, armored signature next to the tarball. Many people are already distributing something like this but not everybody.

Such a signature can easily be generated using GnuPG

gpg --detach-sign --armor mupen64plus-core-src-2.0.tar.gz

Of course, this doesn't help against replay attacks (attacker replaces a new version tarball and the signature with an older version which includes a security hole). But this can usually be detected by the packager when checking the upstream changelog and version number.

The integration in an Debian package is relative straightforward. A keyring has to be defined and the debian/watch file has to be changed to include a rewrite rule to find the tarball signatures. The keyring will be stored in debian/upstream/signing-key.asc.

The next step is to create this file. I will use the batctl package as an example because upstream released tarballs with signature files since a long time and I was able to check the key used for the releases on multiple occasions. I've decided to include only a minimal set of information from the key which necessary to check the signatures. Encryption keys, user signatures and multiple UIDs just make the file unnecessary large.

$ mkdir --mode=0700 -p gpg.tmp
$ gpg --homedir gpg.tmp \
  --keyserver keyserver.ubuntu.com \
  --no-sig-cache \
  --import-options import-minimal \
  --recv-keys AF383F7C593B6B16
$ gpg --homedir gpg.tmp \
  --keyserver keyserver.ubuntu.com \
  --no-sig-cache \
  --edit-key AF383F7C593B6B16
# key 1
# delkey
# uid 2
# deluid
# ...
# save
$ gpg --homedir gpg.tmp \
  --no-sig-cache --export --armor \
  > debian/upstream/signing-key.asc
$ rm -rf gpg.tmp

The debian/watch file is relative easy. Only the a pgpsigurlmangle rule has to be added. The signature files for batctl are stored as .asc in the same directory on the download server as the release tarballs. Therefore, only an append to the original tarball name has to be made.

version=3
opts="uversionmangle=s/-(alpha|beta|rc)/~$1/,pgpsigurlmangle=s/$/.asc/" \
 https://downloads.open-mesh.org/batman/stable/sources/batctl/batctl-(.*).tar.gz

Now uscan will automatically check the signature in the next download of a new upstream release. So, no more wondering whether I forgot to check them when preparing a Debian revision.

batctl: Newer version (2013.2.0) available on remote site:
  https://downloads.open-mesh.org/batman/stable/sources/batctl/batctl-2013.2.0.tar.gz
  (local version is 2013.1.0)
gpgv: Signature made Sat 20 Apr 2013 05:32:04 PM CEST using DSA key ID 593B6B16
gpgv: Good signature from "Simon Wunderlich <sw@simonwunderlich.de>"
batctl: Successfully downloaded updated package batctl-2013.2.0.tar.gz
    and symlinked batctl_2013.2.0.orig.tar.gz to it