Package: devscripts Version: 2.10.35 Severity: wishlist File: /usr/bin/debsign
debsign should support using an alternative location for the secret keyring to be used to sign particular uploads so that users can put their secret keys onto encrypted media or smartcards instead of storing the secret key on a vulnerable laptop. http://www.linux.codehelp.co.uk/serendipity/index.php?/archives/131-Adapting-autofs-for-GPG-keys-to-an-SD-card.html http://www.einval.com/~steve/docs/gpg-autofs.html I have two keys, one is intended to remain on the laptop and has comments to that effect (0xA897FD02). The other key, (0x28BCB3E3), is my Debian upload key so needs to be protected a little more than the ordinary laptop key (which I'll use when signing email on the laptop). 'debsign' does not have a way to specify a different --homedir or secret keyring or any other option that would allow me to have an alternative gpg configuration (maybe it should?). So I've copied debsign into my home scripts directory to create a slightly modified version and then I followed Steve's advice for ~/.gnupg/ to create a duplicate directory with the same permissions and a much reduced public keyring file (just exported my own keys). The secring.gpg file for this alternative homedir is the on the SD card with the autofs symlink (so the only file on the encrypted SDCard is the secret keyring). Then it is a simple case of manually calling debsign (e.g. after using debuild -uc -us): ~/scripts/debsign -k0x28bcb3e3 /path/to/.changes +CARD=" --no-default-keyring --homedir=/home/neil/.gcard " ... - $signcommand --local-user "$2" --clearsign \ + $signcommand $CARD --local-user "$2" --clearsign \ ... - $signcommand --local-user "$2" --clearsign \ + $signcommand $CARD --local-user "$2" --clearsign \ ... - $signcommand -u "$2" +clearsig=on -fast < "$1" > "$ASCII_SIGNED_FILE" + $signcommand $CARD -u "$2" +clearsig=on -fast < "$1" > "$ASCII_SIGNED_FILE" It would be useful if the effect of this change could be made available in debsign so that I could use it with this multiple key situation. Something like: $ debsign --homedir maybe? --homedir - Specify an alternative home directory to be passed to gnupg (in combination with the --no-default-keyring option) to allow debsign to use an alternative key stored on removable (usually encrypted) media. See http://www.einval.com/~steve/docs/gpg-autofs.html Just an idea. -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- DEBSIGN_KEYID="0x28BCB3E3" DEBRELEASE_UPLOADER="dput" -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages devscripts depends on: ii dpkg-dev 1.14.22 Debian package development tools ii libc6 2.7-13 GNU C Library: Shared libraries ii perl 5.10.0-13 Larry Wall's Practical Extraction Versions of packages devscripts recommends: ii at 3.1.10.1 Delayed job execution and batch pr ii bsd-mailx [mailx] 8.1.2-0.20071201cvs-3 A simple mail user agent ii curl 7.18.2-7 Get a file from an HTTP, HTTPS or ii cvs 1:1.12.13-12 Concurrent Versions System ii dctrl-tools 2.13.0 Command-line tools to process Debi ii debian-keyring 2008.07.22 GnuPG (and obsolete PGP) keys of D ii debian-maintainers 1.44 GPG keys of Debian maintainers ii dput 0.9.2.33 Debian package upload tool ii dupload 2.6.4 utility to upload Debian packages ii elinks [www-browse 0.11.4-2 advanced text-mode WWW browser ii epiphany-gecko [ww 2.22.3-3 Intuitive GNOME web browser - Geck ii epiphany-webkit [w 2.22.3-3 Intuitive GNOME web browser - webk pn equivs <none> (no description available) ii fakeroot 1.9.6 Gives a fake root environment ii galeon [www-browse 2.0.6-2 GNOME web browser for advanced use ii git-core 1:1.5.6.5-1 fast, scalable, distributed revisi ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep ii iceweasel [www-bro 3.0.1-1 lightweight web browser based on M pn libauthen-sasl-per <none> (no description available) ii libcrypt-ssleay-pe 0.57-1+b1 Support for https protocol in LWP ii libparse-debcontro 2.005-2 Easy OO parsing of Debian control- ii libsoap-lite-perl 0.710.08-1 Client and server side SOAP implem pn libterm-size-perl <none> (no description available) ii libtimedate-perl 1.1600-9 Time and date functions for Perl ii liburi-perl 1.35.dfsg.1-1 Manipulates and accesses URI strin ii libwww-perl 5.813-1 WWW client/server library for Perl pn libyaml-syck-perl <none> (no description available) ii lintian 1.24.4 Debian package checker ii lsb-release 3.2-20 Linux Standard Base version report ii lynx-cur [www-brow 2.8.7dev9-2 Text-mode WWW Browser with NLS sup ii mailx 1:20071201-3 Transitional package for mailx ren ii man-db 2.5.2-2 on-line manual pager ii openssh-client [ss 1:5.1p1-2 secure shell client, an rlogin/rsh ii patch 2.5.9-5 Apply a diff file to an original ii patchutils 0.2.31-4 Utilities to work with patches ii strace 4.5.17+cvs080723-2 A system call tracer ii subversion 1.5.1dfsg1-1 Advanced version control system ii unzip 5.52-12 De-archiver for .zip files ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent ii wdiff 0.5-18 Compares two files word by word ii wget 1.11.4-2 retrieves files from the web Versions of packages devscripts suggests: ii build-essential 11.4 Informational list of build-essent ii cvs-buildpackage 5.22 A set of Debian package scripts fo pn devscripts-el <none> (no description available) pn gnuplot <none> (no description available) pn libfile-desktopentry-perl <none> (no description available) pn libnet-smtp-ssl-perl <none> (no description available) ii mutt 1.5.18-4 text-based mailreader supporting M ii svn-buildpackage 0.6.23 helper programs to maintain Debian -- no debconf information -- To unsubscribe, send mail to [EMAIL PROTECTED]
