docs/Building on Debian.md · e3807801e61b9012ea2e0677a60c2bf72c0e4972 · GitLab / omnibus

Add Debian (.deb) package signing (implementing debsig) · a02a2c95
Jason Plum authored Sep 27, 2017
See:

- https://gitlab.com/gitlab-org/omnibus/merge_requests/7
- https://github.com/chef/omnibus/issues/402

Add Debian package signing, via methodology describe in `debsigs` documentation
https://gitlab.com/debsigs/debsigs

Addition of a `sign_deb_file` function to `Packager::DEB`, after `create_deb_file`. The essential concepts of what is required to sign a `.deb` with with a `type: origin` signature is delineated per the link to `debsigs` above. There is no current functionailty built into `dpkg` scripting akin to `rpm --addsign`. Since the `.deb` file format is simple, we extract the contents of the archvice (`ar x`), sign the concatenated (specifically ordered) contents, and then append the created signature to the archive (`ar rc debfile _gpgorigin`).

These steps could have been accomplished in pure Ruby with the addition of several modules (GPGME, libarchive) except for two concerns: age & maintenance, `fakeroot` requirements.

Tests have been added to attempt to cover the behavior correctly.

- `gpg` : This is already an existing requirement of `Packager::RPM` due to the use of `rpmsign`
- `ar` : Most systems that attempt to build Debian packages will have the `ar` command, and it has been confirmed that MacOS also has this utility.
- `fakeroot` : This is inline with `ar`, however it should be noted that not all systems had this program, and as such it has been added to the Omnibus cookbook.

Adding `ar` and `fakeroot` to the required tools compiled by Omnibus for ensuring this presence was done by @kwilczynski in #217

There is *no need* to add `debsigs`/`debsig-verify` as a requirement, as we are implmenting the login in Ruby and `Shellout`.

Care was taken to ensure compatibility with distribution provided binary versions of `gpg2` or `gpg` for LTS versions of distributions supported by GitLab. This list can be seen at https://gitlab.com/gitlab-org/omnibus/merge_requests/7#note_35053215 . The code is written to prefer `gpg2` if present.

GitLab experienced issues in regards to `gpg --import`, and eventually settled on `gpg --batch --no-tty --allow-secret-key-import --import` as a part of our CI job. So long as the key is present for the GPG calls (via `--homedir #{ENV['HOME']}/.gnupg`) this should not be an issue for any non-automated use. Note that this behavior is the same with RPM signing behaviors. As the GPG key import process is not a part of Omnibus itself, this should be of little concern to this code changes in this MR.

Relates to https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2537
Relates to https://github.com/chef-cookbooks/omnibus/pull/217
Closes https://github.com/chef/omnibus/issues/402



Submitted with the approval of GitLab, and with great thanks for the project!

Signed-off-by: Jason Plum <jplum@gitlab.com>
a02a2c95