What's the official method for checking integrity of a source package?
Solution 1:
The integrity of the source package can be verified without validating the gpg signature on the dsc
file.
Each installation source has a pair of files called Release
and Release.gpg
. These two files are the root of a hash tree, which can be used to validate the integrity of everything in the archive. The gpg signature on Release
is the only one which need to be verified.
The signature on the dsc
file may serve an important purpose before the file is put into a repository and indirectly signed through Release.gpg
. Once the file is in the repository, the signature on the dsc
file can be ignored.
Here is how I could manually verify the integrity. As far as I can tell, apt-get source
does the same validation.
- Download
http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release
andhttp://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg
. - Check the signature using
gpg --keyring /etc/apt/trusted.gpg --verify Release.gpg Release
(The public key can also be found in/usr/share/keyrings/ubuntu-archive-keyring.gpg
) - Download
http://dk.archive.ubuntu.com/ubuntu/dists/trusty/main/source/Sources.gz
- Compare hashes obtained from
sha256sum Sources.gz
andgrep main/source/Sources.gz Release
- Compare hashes obtained from
sha256sum pam_1.1.8-1ubuntu2.dsc
andzcat Sources.gz | grep pam_1.1.8-1ubuntu2.dsc
- Validate hashes found within the
dsc
file:cat pam_1.1.8-1ubuntu2.dsc | sed -e 's/^ //;s/ [1-9][0-9]* / /' | sha256sum -c
Solution 2:
The reason you see that warning is because the source packages are signed by the developer's own key, while the binary packages you get from the repo are signed by the repo signing key. Since ubuntu-keyring
only gives the keyring of the final repo (debian-keyring
actually also provides the public keys of all of its maintainers), apt
can't find the key and considers the package unauthenticated.
Therefore, the solution here is to import the key from a keyserver. You can also look up the source package on Launchpad (pam
is here), click on the email address of the person who made the last change for a package, and check the key fingerprint from there.
In this case, the last person to change the package was Stéphane Graber, and it just so happens that his key is in debian-keyring
(specifically, in /usr/share/keyrings/debian-maintainers.gpg
). You can install the debian-keyring
package, export his key from that keyring, and import that key into your own keyring so that apt
can verify that it is properly signed.