GitHub Packages Verification

[SubZero]

I would like to download OpenSnitch package from GitHub (.deb file), but I can't seem to find any way to verify that file for authenticity. There is no checksum or .asc files available to check the hash or the signature. How can I verify a downloaded file from GitHub?

https://github.com/evilsocket/opensnitch

[Head_on_a_Stick]

GitHub does offer signed commits but the author doesn't seem to be taking advantage of that, which is unfortunate. As such I would recommend cloning the repository and building the .debs locally instead:

Code: Select all

git clone https://github.com/evilsocket/opensnitch
cd opensnitch
apt install devscripts
mk-build-deps --install --remove
rm opensnitch-build-deps*
debuild -us -uc
apt install ../opensnitch*.deb
apt purge --autoremove devscripts opensnitch-build-deps

Be careful with that --autoremove option though, it might try to uninstall most of your desktop if you've been removing metapackages.

[SubZero]

When I run

Code: Select all

mk-build-deps --install --remove

, it's looking for a control file | package name. I am executing this command from opensnitch directory. What file or package name should I specify?

[Head_on_a_Stick]

Oh dear, my apologies SubZero — I glanced at the page and misread the "daemon" directory as "debian", which is pretty silly. Looks like that repository doesn't contain the Debian packaging details.

[SubZero]

No worries. As always, I appreciate your assistance. Thank you Sir!