end-to-end signed debs. debsign, debsig and dpkg-sig

I have been refreshing my knowledge on debsign, debsig and dpkg-sig.

debsig and dpkg-sig make the package non-deterministic since they embed the signatures into the package. (And most of packages.debian.org packages don’t debsig or dpkg-sig either.) So not useful in context of Whonix.

• security - How is the authenticity of Debian packages guaranteed? - Unix & Linux Stack Exchange
• HOWTO: GPG sign and verify deb packages and APT repositories | Packagecloud Blog
• UntrustedDebs - Debian Wiki

debsign doesn’t bring more security in context of Whonix either. It’s useful to secure the communication between package maintainers and (Debian) build servers. Since Whonix uses no build servers, using debsign would only silence a dpkg-source warning.

Whonix already provides end-to-end package integrity by signing apt repository metadata.

Debian does not end-to-end verify packages from maintainer package signature to dpkg installation on user’s systems yet. ( UntrustedDebs - Debian Wiki )

Therefore when building Whonix from source code the warning during Whonix build process such as:

dpkg-source: warning: extracting unsigned source package

dpkg-source: warning: extracting unsigned source package (anon-gw-anonymizer-config_5.0-1.dsc)

can be safely ignored.

This is because the Debian source package (a technical term in Debian packaging) for packages by Whonix is created from the local git repository only. No files from remote locations are involved except the git repository itself which gets verified when using the usual build from Whonix source code instructions.

1. The user downloads Whonix source code including all Whonix package source code from git.
2. The user verifies all of Whonix source code from git.
3. The Whonix build script builds all Whonix packages using genmkfile.
4. Building a Debian package requires an upstream archive (also called upstream tarball) as well as a Debian archive (also called Debian tarball).
5. genmkfile creates all the archives and files required for the creation of a Debian .deb package from the local git repository only.
6. genmkfile runs cowbuilder which results in running dpkg-source to extract the Debian source package inside a clean chroot. At that point dpkg-source notices that the Debian source package lacks a signature file.

While checking the signature makes sense for Debian upstream build servers it makes no sense when building packages locally with locally already verified files. Signing the file would require the user to needlessly (auto) generate a signing key which would not be used for anything but silencing a non-applicable warning.

Debian dpkg-sig feature request:

• steps toward making dpkg-sig sign all packages
• opened in 2014
• last reply in 2014

Judging from the discussion, since embedded signatures are incompatible with reproducible builds, I think it is highly unlikely that Debian will ever use dpkg-sig or debsig to embed signatures into all Debian packages from packages.debian.org.

In theory, signatures could be stripped by tools such as debdiff but that does not seem to be the preferred implementation.

There might be a chance for detached Debian package signatures. Detached meaning the deb file and a separate signature file.

Meaning it is incompatible with reproducible builds.