Issue
I know that I can download Debian package source files to the current directory with this:
$ apt-get source tree
...
$ ls -lahn
total 88K
drwx------ 3 10335 11111 4,0K Apr 29 15:24 .
drwxrwxrwt 16 0 0 20K Apr 29 16:39 ..
drwxr-xr-x 5 10335 11111 4,0K Apr 29 15:24 tree-1.7.0
-rw-r--r-- 1 10335 11111 5,9K Oct 25 2014 tree_1.7.0-3.debian.tar.xz
-rw-r--r-- 1 10335 11111 1,8K Oct 25 2014 tree_1.7.0-3.dsc
-rw-r--r-- 1 10335 11111 46K Apr 27 2014 tree_1.7.0.orig.tar.gz
I also know that the *.dsc
file (usually) bears a signature that I can inspect:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 3.0 (quilt)
Source: tree
Binary: tree
Architecture: any
Version: 1.7.0-3
Maintainer: Florian Ernst <[email protected]>
Homepage: http://mama.indstate.edu/users/ice/tree/
Standards-Version: 3.9.5
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/tree.git
Vcs-Git: git://anonscm.debian.org/collab-maint/tree.git
Build-Depends: debhelper (>= 8), dpkg-dev (>= 1.16.1~)
Package-List:
tree deb utils optional arch=any
Checksums-Sha1:
35bd212606e6c5d60f4d5062f4a59bb7b7b25949 47082 tree_1.7.0.orig.tar.gz
d9c3f9d6882e6a26f2428db6528de2a1c9a620da 5944 tree_1.7.0-3.debian.tar.xz
Checksums-Sha256:
6957c20e82561ac4231638996e74f4cfa4e6faabc5a2f511f0b4e3940e8f7b12 47082 tree_1.7.0.orig.tar.gz
1af303c6b9fc640c8346a6c21f45fa6275e7fa7df9f6656af16b504a1a261732 5944 tree_1.7.0-3.debian.tar.xz
Files:
abe3e03e469c542d8e157cdd93f4d8a6 47082 tree_1.7.0.orig.tar.gz
1bf74f9218c1b300de1246043b421173 5944 tree_1.7.0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJULE31AAoJEAY3Qbr13R7OYnYQALFkasPqrvRt4lPYiROjkx50
3YfZ9yfnvAbsjhMkECl5ItWfQmNgpgObwTidV9JdJ8N70joaayRPDw7ACaBiOM9z
gA6ERv27hw7uoww1U7pu7J5WTLI2rH592BhU+qhnnrFs6mzFXc6SzuiV1oqEzbjP
dfP73v4lgIw6xPKdOo/l9oKY+tJXgEnspaZu/bnTkUbeV/p9xWmwE8ilGllMx7RA
YGQSq/Jn90mk7C2bfEH96kV0//ThTylCXiqNKafNDNeVYcRKJ1xbTentREMTr6vn
YxLR8e0mAz1hviAc2o+Ga+3zAzwgf+MZzdyAWWWNcH0K4r/UT4IYm7ajwFkaiPW8
+p+iHAVkABWicSKb51wIb2azmow1/PlSYzx1D5JZs8rh07rHC1zE2ni+zSxdtNFq
7yQ8k2WUKVzlJudXQBlZDSNbwHsetNVrceVPXF6xLrwxDf1+rUg0W7KLstKbjtlP
oqDuqzKhD6Mzl1YKMwraFIltlUt9DMZRwtmymjPIAsx56+/sPGv4PYqiPJpih6Gk
rw7fvYMU/dflUAxz13tFAY6qTCQR0DJ1HDiPD86/+/imwCVb9DAq2fJZZtF6W84T
xDipKYuYsVqXwXaWH1xlt7pSgKyoPJzUJt+M+8XDBXncn36M7aVpP57LjrHvDgNu
DVKPiaUlkR25A0/gqoQ1
=5N30
-----END PGP SIGNATURE-----
I know that package maintainers can debsign
the *.dsc
and/or *.changes
file that is produced during the package build process.
Where, then, is the *.changes
file? How do I download the *.changes
file for a given Debian package? Why does apt-get source
download the *.dsc
file but not the *.changes
file?
References:
- https://manpages.debian.org/stretch/devscripts/debsign.1.en.html
- https://blog.packagecloud.io/eng/2014/10/28/howto-gpg-sign-verify-deb-packages-apt-repositories/
- https://www.debian.org/doc/manuals/maint-guide/build.en.html
Solution
The .changes
files are the manifest the "maintainer" prepares for the upload, is it indeed signed, and the archive software accepting that upload needs to trust that maintainer. But then the trust is transferred to the archive. The maintainer could have resigned, could have got their OpenPGP key expired or revoked, they could have been expelled, etc. The archive makes sure to sign the Sources and Packages repository meta-indices, takes care of key rotation, expiration, etc.
The trust anchor is thus from maintainer to archive, then transferred to the archive, so that it can then be from archive to user. If you don't trust an archive you should simply not even attempt to download artifacts from it, as it could inject anything there, including doing replay attacks on packages properly signed by the maintainer, but obsolete and with known security holes, f.ex.
That's the main reason why apt does enforce signature verification on the Sources meta-indices before downloading a .dsc, but then dpkg-source only has opportunistic (and non-fatal) verification for the .dsc signatures.
If for some reason you'd still want to get hold of the .changes
files, at least for Debian those can be obtained (as Giacomo Catenazzi mentioned) from the list archives.
Answered By - Guillem Jover