Bug#1066875: devscripts: debsign tries to parse gpg version from human-readable output, should use machine-readable output
Hi Guillem-- On Sat 2024-04-27 23:13:13 +0200, Guillem Jover wrote: > I was just modifying this code for another report I'm about to file, > and instead wondered why have it at all! I'm proposing simply removing > the backwards compat code given that even in oldstable gnugp1 is > already at verison 1.4.23. See attached patch. yes, that seems like an even better choice. the 1.4.x line of GnuPG is poorly supported these days, and doesn't handle modern cryptography (including the 25519 keys that are used by a lot of DDs these days). Thanks for looking into this, Guillem! --dkg signature.asc Description: PGP signature
Bug#1066875: devscripts: debsign tries to parse gpg version from human-readable output, should use machine-readable output
Hi!
On Thu, 2024-03-14 at 14:55:36 -0400, Daniel Kahn Gillmor wrote:
> Package: devscripts
> Version: 2.23.7
> Tags: patch
> debsign currently tries to determine the version of gpg by parsing the
> human-readable output of `gpg --version`.
[…]
> The attached patch converts debsign to use the machine-parseable format,
> rather than the human-readable format.
I was just modifying this code for another report I'm about to file,
and instead wondered why have it at all! I'm proposing simply removing
the backwards compat code given that even in oldstable gnugp1 is
already at verison 1.4.23. See attached patch.
Thanks,
Guillem
From a9601103ca8deb4aeaaca04b8f42272ced6fde27 Mon Sep 17 00:00:00 2001
From: Guillem Jover
Date: Sat, 27 Apr 2024 23:06:39 +0200
Subject: [PATCH] debsign: Remove compatibility code for ancient GnuPG
The code is trying to handle GnuPG versions older than 1.4, where
the oldest GnuPG version available in Debian via the gnupg1 package
is 1.4.23 since oldstable. So there is no much point in trying to
support even older versions.
Remove the code to simplify things.
---
scripts/debsign.sh | 37 ++---
1 file changed, 10 insertions(+), 27 deletions(-)
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 15b0dfc2..2ddb8b11 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -170,33 +170,16 @@ signfile() {
ASCII_SIGNED_FILE="${UNSIGNED_FILE}.asc"
(cat "$file" ; echo "") > "$UNSIGNED_FILE"
-gpgversion=$($signcommand --version | head -n 1 | cut -d' ' -f3)
-gpgmajorversion=$(echo $gpgversion | cut -d. -f1)
-gpgminorversion=$(echo $gpgversion | cut -d. -f2)
-
-if [ $gpgmajorversion -gt 1 -o $gpgminorversion -ge 4 ]
-then
- $signcommand --no-auto-check-trustdb \
- --local-user "$signas" --clearsign \
- --list-options no-show-policy-urls \
- --armor --textmode --output "$ASCII_SIGNED_FILE"\
- "$UNSIGNED_FILE" || \
- { SAVESTAT=$?
- echo "$PROGNAME: $signcommand error occurred! Aborting" >&2
- stty $savestty 2>/dev/null || true
- exit $SAVESTAT
- }
-else
- $signcommand --local-user "$signas" --clearsign \
- --no-show-policy-url \
- --armor --textmode --output "$ASCII_SIGNED_FILE" \
- "$UNSIGNED_FILE" || \
- { SAVESTAT=$?
- echo "$PROGNAME: $signcommand error occurred! Aborting" >&2
- stty $savestty 2>/dev/null || true
- exit $SAVESTAT
- }
-fi
+$signcommand --no-auto-check-trustdb \
+ --local-user "$signas" --clearsign \
+ --list-options no-show-policy-urls \
+ --armor --textmode --output "$ASCII_SIGNED_FILE"\
+ "$UNSIGNED_FILE" || \
+{ SAVESTAT=$?
+ echo "$PROGNAME: $signcommand error occurred! Aborting" >&2
+ stty $savestty 2>/dev/null || true
+ exit $SAVESTAT
+}
stty $savestty 2>/dev/null || true
echo
PRECIOUS_FILES=$(($PRECIOUS_FILES + 1))
--
2.43.0
Bug#1066875: devscripts: debsign tries to parse gpg version from human-readable output, should use machine-readable output
Package: devscripts
Version: 2.23.7
Tags: patch
(this is also
https://salsa.debian.org/debian/devscripts/-/merge_requests/394)
debsign currently tries to determine the version of gpg by parsing the
human-readable output of `gpg --version`.
For use in scripts and other code, the GnuPG project prefers the use
of machine-readable output, and has offered `--with-colons
--list-config` for many versions (back at least to 1.3.5 according to
/usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a
lot of detail, including the actual version number:
cfg:version:2.2.40
This mode of output is what is used by libgpgme to determine the
version of gpg, so it is likely to remain stable and parseable.
The attached patch converts debsign to use the machine-parseable format,
rather than the human-readable format.
This issue came up when experimenting with sequoia-chameleon-gnupg,
which produces a human-readable string that doesn't match what debsign
was checking for.
(https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/61).
they're fixing that now in the chameleon upstream, but it seems like
debsign should be using the more robust approach anyway.
Thanks for maintaining devscripts!
--dkg
From 6bed35a535962534883a5aa233cbbcbfc7b15624 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor
Date: Thu, 14 Mar 2024 14:10:59 -0400
Subject: [PATCH] debsign: check gpg version with machine-parseable format
debsign currently tries to determine the version of gpg by parsin the
human-readable output of `gpg --version`.
For use in scripts and other code, the GnuPG project prefers the use
of machine-readable output, and has offered `--with-colons
--list-config` for many versions (back at least to 1.3.5 according to
/usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a
lot of detail, including the actual version number:
cfg:version:2.2.40
This mode of output is what is used by libgpgme to determine the
version of gpg, so it is likely to remain stable and parseable.
This change converts debsign to use the machine-parseable format,
rather than the human-readable format.
---
scripts/debsign.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 15b0dfc2..cc4d31ab 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -170,7 +170,7 @@ signfile() {
ASCII_SIGNED_FILE="${UNSIGNED_FILE}.asc"
(cat "$file" ; echo "") > "$UNSIGNED_FILE"
-gpgversion=$($signcommand --version | head -n 1 | cut -d' ' -f3)
+gpgversion=$($signcommand --with-colons --list-config | awk -F: '/^cfg:version:/ { print $3; exit }')
gpgmajorversion=$(echo $gpgversion | cut -d. -f1)
gpgminorversion=$(echo $gpgversion | cut -d. -f2)
--
2.43.0
signature.asc
Description: PGP signature
