end-to-end signed debs. debsign, debsig and dpkg-sig

I have been refreshing my knowledge on debsign, debsig and dpkg-sig.

debsig and dpkg-sig make the package non-deterministic since they embed the signatures into the package. (And most of package.debian.org packages don’t debsig or dpkg-sig either.) So not useful in context of Whonix.

debsign doesn’t bring more security in context of Whonix either. It’s useful to secure the communication between package maintainers and (Debian) build servers. Since Whonix uses no build servers, using debsign would only silence a dpkg-source warning.

Whonix already provides end-to-end package integrity by signing apt repository metadata.

Debian does not end-to-end verify packages from maintainer package signature to dpkg installation on user’s systemd yet. ( https://wiki.debian.org/UntrustedDebs#End-to-end_signatures_with_TOFU )

Therefore warning during Whonix build process such as:

dpkg-source: warning: extracting unsigned source package

dpkg-source: warning: extracting unsigned source package (anon-gw-anonymizer-config_5.0-1.dsc)

can be safely ignored.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]