- Use cases
- Resources & Inspiration
This Tech Update, initially published in early 2023, has exciting additional updates to share. We have introduced a tutorial video to assist you in configuring OpenPGP for Linux package signing within SignServer, and we have also refreshed the accompanying documentation. You can find all this valuable information on signserver.org, or if you are ready to get started now, you can access the tutorial video here.
If you are not familiar with code signing, it is the process of digitally signing code, executables, scripts, and software update packages to confirm the creator of the code and to be able to validate that the code has not been manipulated or unintentionally corrupted since it was signed.
SignServer is a server-side code signing software that supports multiple code signing formats. In the SignServer Community Edition, you can sign Open PGP and Debian packages, for example.
OpenPGP is commonly used for Open-Source software projects and packaging software for Linux environments. The SignServer OpenPGP signer can sign arbitrary data and produce an OpenPGP (RFC 4880) detached signature in binary or ASCII form or a cleartext signature.
Debian is a popular and freely available operating system. A wide range of organizations use the Debian operating system, and the system is also known for being an effective packaging system. SignServer supports the signing of Debian packages using the dpkg-sig format and OpenPGP. The key management operations are the same as the generic OpenPGP Signer in SignServer.
From previously being exclusively available to SignServer Enterprise Edition users, the Debian dpkg-sig Signer is now also available in SignServer Community 5.11. Read more in the release notes.
Configuring your Debian package signer or OpenPGP signer in SignServer is easy. Your applications can access the Debian or OpenPGP signer via an integration directly to the web services web interface or via the SignServer SignClient. The signing functionality is also available to users via a web interface. Users and applications are always authenticated, and all log files are signed to ensure proper audit and logging functionality.
Neither the Debian package signing nor the OpenPGP signing format uses X.509 certificates. However, in SignServer, the Debian and OpenPGP signing operations are handled as any other code signing operation. A Hardware Security Module (HSM) is recommended to store the private key and execute the signing operation.
Do you want to try signing your OpenPGP or Debian packages with SignServer? Here is how to get started: