2

I provide an own download repository for Ubuntu DEB-packages. It comes with a directory structure in style https://mydomain.tld/download/Ubuntu/dists/bionic/main/binary-amd64/

The directory contains the DEB-archives as well as the Packages.gz which is created by calling

dpkg-scanpackages dists/bionic/main/binary-amd64/ /dev/null|gzip -9c >dists/bionic/main/binary-amd64/Packages.gz

The packages itself all are signed with

dpkg-sig --sign builder mypackage.deb

Signing and creation of the Packages.gz works properly. Nevertheless the packages are not really secure and verified, the link between the signature in the DEB-package and the download is missing.

So my question: what do I have to do (on server side?) to not only have signed packaged but to give users that install packages via "apt-get" or "synapic" the verification that the packages are original and not changed by a third party?

Thanks!

Elmi
  • 199
  • 1
  • 5

1 Answers1

0

you may provide a shell script which is registrating a key. see http://rpms.litespeedtech.com/debian enable_lst_debain_repo.sh for example

alecxs
  • 366
  • 1
  • 4
  • 14
  • Not sure if this is the solution - where is the key I signed the packages with transferred to the server? Where/how is it configured to use that key? – Elmi Apr 09 '19 at 17:34
  • Not sure if i understand the question. Do you have control over content server-side? Than it should be enough when url is trusted, not packages? – alecxs Apr 09 '19 at 17:41
  • Yes, the question is about the server side! – Elmi Apr 11 '19 at 15:41
  • So how can a package changed by third party, when you are the one having control server side? – alecxs Apr 11 '19 at 18:46