Bug#843925: dpkg-dev: dpkg-buildpackage should sign buildinfo files

Thu Nov 10 18:49:03 UTC 2016

Package: dpkg-dev
Version: 1.18.13
Severity: important

Dear Maintainer,

We would like dpkg-buildpackage to clearsign the buildinfo files that are
created. This allows them to be uploaded to services similar to keyservers,
for auditing and attestation purposes, that may be run independently of the
FTP archive.

Furthermore, we would like user-side tools to download and perform other
security-related logic on the signed buildinfo files - e.g. being able to see
how many, and exactly who else, managed to *actually reproduce* the binaries
that one has installed.

Neither these services nor user-tools need to perform archive-related duties
or operations, and therefore would prefer to work directly with signed
buildinfo files, rather than with signed .changes files plus an unsigned
.buildinfo file (which is what the current situation would force).

For more discussion on the rationale and intent see here:

https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles#Signatures
https://wiki.debian.org/ReproducibleBuilds/BuildinfoInfrastructure

An analogy that might be helpful is X509 certificates. These are signed
attestations by a CA (the signer) that "(I believe) key K belongs to entity E".
Compare this with a signed buildinfo file, which is a signed attestation that
"I built binary X from [etc]".

I'm happy to write this patch myself. That will take a little bit more time - I
wanted to file this bug report early to check that you're not opposed to this
idea - and before too many other tools start assuming that buildinfo files are
unsigned. I think this should not be the case by default, just as you rarely
see an unsigned .dsc being distributed.

There would also be a -ub option added, along the same lines as -us and -uc.
Then debsign from devscripts will also need to be updated, and I'll be happy to
write the patch for this too.

X

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), (300, 'unstable'), (200, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dpkg-dev depends on:
ii  binutils      2.27-9+b1
ii  bzip2         1.0.6-8
ii  libdpkg-perl  1.18.13
ii  make          4.1-9
ii  patch         2.7.5-1
pn  perl:any      <none>
ii  tar           1.29b-1
ii  xz-utils      5.2.2-1.2

Versions of packages dpkg-dev recommends:
ii  build-essential          12.2
ii  clang-3.5 [c-compiler]   1:3.5.2-5
ii  fakeroot                 1.21-2
ii  gcc [c-compiler]         4:6.1.1-1
ii  gcc-6 [c-compiler]       6.2.0-10
ii  gnupg                    2.1.15-4
ii  gnupg2                   2.1.15-4
ii  gpgv                     2.1.15-4
ii  libalgorithm-merge-perl  0.08-3

Versions of packages dpkg-dev suggests:
ii  debian-keyring  2016.09.04

-- no debconf information