Uploaded image for project: 'SignServer'
  1. SignServer
  2. DSS-1973

Create DebianDpkgSigSigner


    • Type: Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.2.0.Alpha2, 5.1.0.Final
    • Component/s: None
    • Labels:
    • Epic Link:
    • Sprint:
      SignServer-Sprint 100, SignServer-Sprint 101


      Similar as DSS-1826 but completely on the server-side.

      To Do's in this ticket (or sub-tickets):

      • [✔] VS: DSS-1977: Create skeleton signer
        • Refactoring: extract base class from OpenPGPSigner to use also with the new signer in this ticket: BaseOpenPGPSigner
        • Create the DebianDpkgSigSigner extending the BaseOpenPGPSigner returning hello world or whatever
      • DSSINTER-353: Create standalone tool for dumping the content of a Debian package (AR archive). This tool will be useful for later troubleshooting and as a first step before adding this functionality to SignServer.
      • [✔] VS: Implement Debian dpkg-sig signing
        • Parsing of Debian package
        • Calculation of hash of files
        • DSS-1978: Producing metadata file (_gpgbuilder) from key fingerprint, date, hashes and file names)
        •  [-] Sign the metadatafile with clear-text signature - already done in DSS-1977?
        • Storing signature in Debian package - adding AR entry
      • Unit tests
        • [✔] ML: Worker properties (if any)
          • Including tests for the properties from BaseOpenPGPSigner (i.e. copy those tests from OpenPGPSignerUNitTest
        • [✔] ParsedARFile
          • Checking that if provided with an AR file (such as a Debian package) the parsed values are the expected
        • [-] Signing and verification of Debian file. Skipped for now as we have both Compliance tests and System tests for this.
      • System tests:
        • [✔] VS: Signing and verification of Debian file using PKCS#11
          • Call signing
          • Call ParsedArFile.parseAndHash() to get the expected entries
          • Extract the _gpgbuilder file
          • Verify the signature of the _gpgbuilder file
          • Check that the values in the _gpgbuilder file (manifest) matches what was parsed from the AR file
            • i.e. all expected file identifiers are there and no extra, the file sizes, the fingerprints, ...
      • DSS-1980: Compliance testing with dpkg-sig
        • How to run the command (i.e. what's the syntax etc)?
        • Available in Jenkins images? Can we install it? Do we need some image running the tests with Debian for this?
        • Implement as JUnit (see gpg compliance tests for reference)



          Issue Links



              vinays Vinay Singh (Inactive)
              markus Markus Kilås
              Verified by:
              Marcus Lundblad, Markus Kilås
              0 Vote for this issue
              3 Start watching this issue



                  Time Tracking

                  Original Estimate - 1 week
                  Remaining Estimate - 0 minutes
                  Time Spent - 1 day, 6 hours, 6 minutes Time Not Required
                  1d 6h 6m