What's the official method for checking integrity of a source package?

Solution 1:

The integrity of the source package can be verified without validating the gpg signature on the dsc file.

Each installation source has a pair of files called Release and Release.gpg. These two files are the root of a hash tree, which can be used to validate the integrity of everything in the archive. The gpg signature on Release is the only one which need to be verified.

The signature on the dsc file may serve an important purpose before the file is put into a repository and indirectly signed through Release.gpg. Once the file is in the repository, the signature on the dsc file can be ignored.

Here is how I could manually verify the integrity. As far as I can tell, apt-get source does the same validation.

1. Download http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release and http://dk.archive.ubuntu.com/ubuntu/dists/trusty/Release.gpg.
2. Check the signature using gpg --keyring /etc/apt/trusted.gpg --verify Release.gpg Release (The public key can also be found in /usr/share/keyrings/ubuntu-archive-keyring.gpg)
3. Download http://dk.archive.ubuntu.com/ubuntu/dists/trusty/main/source/Sources.gz
4. Compare hashes obtained from sha256sum Sources.gz and grep main/source/Sources.gz Release
5. Compare hashes obtained from sha256sum pam_1.1.8-1ubuntu2.dsc and zcat Sources.gz | grep pam_1.1.8-1ubuntu2.dsc
6. Validate hashes found within the dsc file: cat pam_1.1.8-1ubuntu2.dsc | sed -e 's/^ //;s/ [1-9][0-9]* / /' | sha256sum -c

Solution 2:

The reason you see that warning is because the source packages are signed by the developer's own key, while the binary packages you get from the repo are signed by the repo signing key. Since ubuntu-keyring only gives the keyring of the final repo (debian-keyring actually also provides the public keys of all of its maintainers), apt can't find the key and considers the package unauthenticated.

Therefore, the solution here is to import the key from a keyserver. You can also look up the source package on Launchpad (pam is here), click on the email address of the person who made the last change for a package, and check the key fingerprint from there.

In this case, the last person to change the package was Stéphane Graber, and it just so happens that his key is in debian-keyring (specifically, in /usr/share/keyrings/debian-maintainers.gpg). You can install the debian-keyring package, export his key from that keyring, and import that key into your own keyring so that apt can verify that it is properly signed.