Package: dpkg Version: 1.17.5ubuntu5.6 Severity: wishlist Tags: patch This is a request for adding file signatures in Debian packages and for installing those signatures as 'security.ima' extended attributes at package install time. We propose to embed the extended attribute in the PAX header of the (data and control) tar files found inside a Debian package. GNU tar is one example of a tar program that already supports extended attributes to be stored there, so extending the tar implementation of dpkg with PAX header support seems the most straight forward way for supporting this.
The file signatures can be embedded with a tool that repackages existing Debian packages by repackaging the data and control tar files inside of them. While repacking those tar files, the signatures are added to them. We have implemented such a tool and use it as part of building a mirror of Debian package of a Ubuntu distribution for example. We have previously posted a patch implemeting PAX header support for dpkg's tar implementation here: https://lists.debian.org/debian-dpkg/2016/05/msg00036.html Other useful information: http://www.linuxplumbersconf.org/2016/ocw//system/presentations/3933/original/FileSignaturesNeeded.pdf -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty-proposed'), (500, 'trusty'), (100, 'trusty-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-18-generic (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dpkg depends on: ii libbz2-1.0 1.0.6-5 ii libc6 2.19-0ubuntu6.9 ii liblzma5 5.1.1alpha+20120614-2ubuntu2 ii libselinux1 2.2.2-1ubuntu0.1 ii tar 1.27.1-1 ii zlib1g 1:1.2.8.dfsg-1ubuntu1 dpkg recommends no packages. Versions of packages dpkg suggests: ii apt 1.0.1ubuntu2.14 -- no debconf information