diff --git a/pkgs/servers/jibri/default.nix b/pkgs/servers/jibri/default.nix
index 5bf50d01752f..108c99ff0473 100644
--- a/pkgs/servers/jibri/default.nix
+++ b/pkgs/servers/jibri/default.nix
@@ -21,7 +21,6 @@ stdenv.mkDerivation rec {
 
   dontBuild = true;
   nativeBuildInputs = [ dpkg makeWrapper ];
-  unpackCmd = "dpkg-deb -x $src debcontents";
 
   installPhase = ''
     runHook preInstall
diff --git a/pkgs/tools/package-management/dpkg/default.nix b/pkgs/tools/package-management/dpkg/default.nix
index cb1c67e2e90d..e074ef05d97e 100644
--- a/pkgs/tools/package-management/dpkg/default.nix
+++ b/pkgs/tools/package-management/dpkg/default.nix
@@ -71,6 +71,8 @@ stdenv.mkDerivation rec {
       cp -r scripts/t/origins $out/etc/dpkg
     '';
 
+  setupHook = ./setup-hook.sh;
+
   meta = with lib; {
     description = "The Debian package manager";
     homepage = "https://wiki.debian.org/Teams/Dpkg";
diff --git a/pkgs/tools/package-management/dpkg/setup-hook.sh b/pkgs/tools/package-management/dpkg/setup-hook.sh
new file mode 100644
index 000000000000..326f06eff318
--- /dev/null
+++ b/pkgs/tools/package-management/dpkg/setup-hook.sh
@@ -0,0 +1,12 @@
+unpackCmdHooks+=(_tryDpkgDeb)
+_tryDpkgDeb() {
+    if ! [[ "$curSrc" =~ \.deb$ ]]; then return 1; fi
+    # Don't use dpkg-deb -x as that will error if the archive contains a file
+    # or directory with a setuid bit in its permissions. This is because dpkg
+    # calls tar internally with the -p flag, preserving file permissions.
+    #
+    # We instead only use dpkg-deb to extract the tarfile containing the files
+    # we want from the .deb, then finish extracting with tar directly.
+    mkdir root
+    dpkg-deb --fsys-tarfile "$curSrc" | tar --extract --directory=root
+}