1. Home
  2. /
  3. Resources
  4. /
  5. Securing OpenPGP and Debian Packages with Code Signing

Securing OpenPGP and Debian Packages with Code Signing

hero-sub-3
EJBCA Signserver

2023-09-29

This Tech Update, initially published in early 2023, has exciting additional updates to share. We have introduced a tutorial video to assist you in configuring OpenPGP for Linux package signing within SignServer, and we have also refreshed the accompanying documentation. You can find all this valuable information on  signserver.org, or if you are ready to get started now, you can access the tutorial video here.

 

 

2023-01-10

In the software supply chain, signing and verifying code helps keep malicious code out of your environment. From SignServer Community release 5.11, you can digitally sign Debian packages.

If you are not familiar with code signing, it is the process of digitally signing code, executables, scripts, and software update packages to confirm the creator of the code and to be able to validate that the code has not been manipulated or unintentionally corrupted since it was signed.

SignServer is a server-side code signing software that supports multiple code signing formats. In the SignServer Community Edition, you can sign Open PGP and Debian packages, for example.

About OpenPGP signing

OpenPGP is commonly used for Open-Source software projects and packaging software for Linux environments. The SignServer OpenPGP signer can sign arbitrary data and produce an OpenPGP (RFC 4880) detached signature in binary or ASCII form or a cleartext signature.

About Debian Package Signing

Debian is a popular and freely available operating system. A wide range of organizations use the Debian operating system, and the system is also known for being an effective packaging system. SignServer supports the signing of Debian packages using the dpkg-sig format and OpenPGP. The key management operations are the same as the generic OpenPGP Signer in SignServer.

From previously being exclusively available to SignServer Enterprise Edition users, the Debian dpkg-sig Signer is now also available in SignServer Community 5.11. Read more in the release notes.

How to set it up in SignServer

Configuring your Debian package signer or OpenPGP signer in SignServer is easy. Your applications can access the Debian or OpenPGP signer via an integration directly to the web services web interface or via the SignServer SignClient. The signing functionality is also available to users via a web interface. Users and applications are always authenticated, and all log files are signed to ensure proper audit and logging functionality.

Neither the Debian package signing nor the OpenPGP signing format uses X.509 certificates. However, in SignServer, the Debian and OpenPGP signing operations are handled as any other code signing operation. A Hardware Security Module (HSM) is recommended to store the private key and execute the signing operation.

Get Started with OpenPGP or Debian Package Signing

Do you want to try signing your OpenPGP or Debian packages with SignServer? Here is how to get started:

  1. Deploy SignServer Community, see Quick Start Guide – Start SignServer Container.
  2. Configure OpenPGP or Debian signing, see Code Signing Technical How-to.

Related resources

PKI hierarchies - 1, 2, 3 tiers ?
Installation & Deployment
Signing
Tech Update
Ejbca
Signserver
18 March, 2025

#KEYMASTER: Understanding VEX and the Future of Vulnerability Management

In this Keymaster episode, we explore VEX (Vulnerability Exploitability Excha...
Read more
PKI hierarchies - 1, 2, 3 tiers ?
Installation & Deployment
Signing
Tech Update
Ejbca
Signserver
11 March, 2025

#KEYMASTER: The Rise of SBOMs – A Growing Necessity

In this episode of #KEYMASTER, we explore the evolving landscape of Software...
Read more

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close