[Issue]: DEB Files Are Not Being Signed (Nor Are .changes Or .dsc Files)

Question

[Issue]: DEB Files Are Not Being Signed (Nor Are .changes Or .dsc Files)

thegranddesign opened this issue 9 months ago · 5 comments

Please describe your bug

Currently the DEB file is failing verification. It's been a while but based on my install scripts that I used, I'm fairly certain that the DEB file used to verify. The issue is that the DEB file itself is not being signed.

The solution is to add a step to the build process that runs something like:

debsigs --sign=origin -k 49023CD01DE21A7B <jellyfin_deb_file>.deb

This will add a file to the DEB file that includes a signature.

It should also be straightforward to sign the .changes and .dsc files as well which would be useful for others. Although for my purposes I only really care about verifying the actual DEB that I'm going to install directly.

Reproduction Steps

Install the public key to /usr/share/debsig/keyrings/49023CD01DE21A7B/debsig.gpg
Install the debsig policy file to /etc/debsig/policies/49023CD01DE21A7B/debsig.pol
Run debsig-verify ./<jellyfin_deb_file>.deb

Example debsig.pol file:

<?xml version="1.0"?>
<!DOCTYPE Policy SYSTEM "https://www.debian.org/debsig/1.0/policy.dtd">
<Policy xmlns="https://www.debian.org/debsig/1.0/">
  <Origin Name="Jellyfin" id="49023CD01DE21A7B" Description="Jellyfin Media Server"/>
    <Selection>
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Selection>
    <Verification MinOptional="0">
      <Required Type="origin" File="debsig.gpg" id="49023CD01DE21A7B"/>
    </Verification>
</Policy>

Actual Behavior

Message stating:

Origin Signature check failed. This deb might not be signed.

Expected Behavior

I expect that there will be a message stating that the DEB file is valid.

Jellyfin Version

10.8.13

if other:

No response

Environment

- OS: Linux (Ubuntu)
- Linux Kernel: N/A
- Virtualization: N/A

Jellyfin logs

N/A

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2024-04-11T05:04:03.000Z

Hi, it seems like your issue report has the following item(s) that need to be addressed:

The format of the environment section has been altered from the template.

This is an automated message, currently under testing. Please file an issue here if you encounter any problems.

Answer 2 · 2024-04-11T05:07:07.000Z

Looks like issue with Packaging / CI
cc @joshuaboniface

Answer 3 · 2024-04-19T06:32:21.000Z

We've never signed our .deb files in the past as far as I'm aware.

It's certainly something we can start doing though. I'll look into it.

Answer 4 · 2024-05-01T19:56:26.000Z

Implemented!

Answer 5 · 2024-05-02T03:06:26.000Z

My monthly donations put to good use! ❤️ Thank you so much!!