Ubuntu – I’ve signed a deb package multiple times, now how can I remove a signature

aptdebdpkg

How can I remove signatures from a deb package signed with a gpg key by dpkg-sig?

I have a particular apt repository that I've set up, which through research and testing led me to manually sign my deb packages.

I've tested it out on a package and signed it multiple times with the same key. Now there are three signatures wrapped around the deb package.

The command used for signing the package was:

dpkg-sig -k ######## --sign bulder xul-ext-ubufox_3.0-0ubuntu0.14.10.1_all.deb

Best Answer

I'm not sure if there's a better way, but at the very least you could remove the signature "manually" with ar:

ar d "$yourpackage.deb" _gpgbuilder

(or additional things besides _gpgbuilder if you accomplished having "three signatures" by giving role names other than "builder").

This works because .deb files, at the outermost layer, are essentially just "ar" archives, and embedded deb sigs are stored in that outermost layer. There is a small difference between .debs created with dpkg and those created with ar, so normally it's a good idea to stick to real dpkg tools when manipulating deb files, but all modern tools (afaik) can handle both just fine.

Related Solutions

Ubuntu – How to manually assemble the own package “the hard way”

How difficult is this?

Not so difficult at all. I do all my packaging from scratch. Once you know a few tools, and understand what's going on, the process is fairly simple. Be prepared to spend some time, learning the processes, though.

Do I need to create my own repository for this to work?

A repository (such as a PPA) is for publishing your package to the wider world. So, yes, if you want people to be able to install the package, either you need to get it included in Debian/Ubuntu, or you need to publish it in a repository.

PPAs also have access to the Launchpad build farm, so they can build binary packages from source packages. But you can do this locally, too. And while packaging something, you really want to be test-building locally, rather than waiting for LP to build your package (the LP build queues can be hours long).

Do I need to sign it with my public key or something?

If you want to upload to a PPA, you need to sign your source package with your private key.

Will one deb package work for all Debian-based distributions, or do I need to build a separate version for each flavour?

The safe answer is no. But sometimes it's fairly straightforward to produce once deb that will work on all current Debian and Ubuntu releases. It depends on the package and the toolchain you used.

I suggest:

Ubuntu – I’m having dependency problems with wine and multiarch on 12.04×64. I need a solution

Create New source list using this website. Select your version and choose sources as per your requirement.Tick out Wine in extra repository list. Click on Generate list, You will get generated source list.

Now edit your source list using executing following command on Terminal

sudo nano /etc/apt/sources.list

Delete all lines and Copy generated list, save file by pressing Ctrl+X, choosing Yes. Update your package list using

sudo apt-get update

Now try to installl Wine

sudo apt-get install wine

Fixed same problem before an hour on my system.

Best Answer

Related Solutions

Ubuntu – How to manually assemble the own package “the hard way”

Ubuntu – I’m having dependency problems with wine and multiarch on 12.04×64. I need a solution

Related Question