Bug#1066875: devscripts: debsign tries to parse gpg version from human-readable output, should use machine-readable output
Hi Guillem-- On Sat 2024-04-27 23:13:13 +0200, Guillem Jover wrote: > I was just modifying this code for another report I'm about to file, > and instead wondered why have it at all! I'm proposing simply removing > the backwards compat code given that even in oldstable gnugp1 is > already at verison 1.4.23. See attached patch. yes, that seems like an even better choice. the 1.4.x line of GnuPG is poorly supported these days, and doesn't handle modern cryptography (including the 25519 keys that are used by a lot of DDs these days). Thanks for looking into this, Guillem! --dkg signature.asc Description: PGP signature
Bug#1066875: devscripts: debsign tries to parse gpg version from human-readable output, should use machine-readable output
Hi! On Thu, 2024-03-14 at 14:55:36 -0400, Daniel Kahn Gillmor wrote: > Package: devscripts > Version: 2.23.7 > Tags: patch > debsign currently tries to determine the version of gpg by parsing the > human-readable output of `gpg --version`. […] > The attached patch converts debsign to use the machine-parseable format, > rather than the human-readable format. I was just modifying this code for another report I'm about to file, and instead wondered why have it at all! I'm proposing simply removing the backwards compat code given that even in oldstable gnugp1 is already at verison 1.4.23. See attached patch. Thanks, Guillem From a9601103ca8deb4aeaaca04b8f42272ced6fde27 Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Sat, 27 Apr 2024 23:06:39 +0200 Subject: [PATCH] debsign: Remove compatibility code for ancient GnuPG The code is trying to handle GnuPG versions older than 1.4, where the oldest GnuPG version available in Debian via the gnupg1 package is 1.4.23 since oldstable. So there is no much point in trying to support even older versions. Remove the code to simplify things. --- scripts/debsign.sh | 37 ++--- 1 file changed, 10 insertions(+), 27 deletions(-) diff --git a/scripts/debsign.sh b/scripts/debsign.sh index 15b0dfc2..2ddb8b11 100755 --- a/scripts/debsign.sh +++ b/scripts/debsign.sh @@ -170,33 +170,16 @@ signfile() { ASCII_SIGNED_FILE="${UNSIGNED_FILE}.asc" (cat "$file" ; echo "") > "$UNSIGNED_FILE" -gpgversion=$($signcommand --version | head -n 1 | cut -d' ' -f3) -gpgmajorversion=$(echo $gpgversion | cut -d. -f1) -gpgminorversion=$(echo $gpgversion | cut -d. -f2) - -if [ $gpgmajorversion -gt 1 -o $gpgminorversion -ge 4 ] -then - $signcommand --no-auto-check-trustdb \ - --local-user "$signas" --clearsign \ - --list-options no-show-policy-urls \ - --armor --textmode --output "$ASCII_SIGNED_FILE"\ - "$UNSIGNED_FILE" || \ - { SAVESTAT=$? - echo "$PROGNAME: $signcommand error occurred! Aborting" >&2 - stty $savestty 2>/dev/null || true - exit $SAVESTAT - } -else - $signcommand --local-user "$signas" --clearsign \ - --no-show-policy-url \ - --armor --textmode --output "$ASCII_SIGNED_FILE" \ - "$UNSIGNED_FILE" || \ - { SAVESTAT=$? - echo "$PROGNAME: $signcommand error occurred! Aborting" >&2 - stty $savestty 2>/dev/null || true - exit $SAVESTAT - } -fi +$signcommand --no-auto-check-trustdb \ + --local-user "$signas" --clearsign \ + --list-options no-show-policy-urls \ + --armor --textmode --output "$ASCII_SIGNED_FILE"\ + "$UNSIGNED_FILE" || \ +{ SAVESTAT=$? + echo "$PROGNAME: $signcommand error occurred! Aborting" >&2 + stty $savestty 2>/dev/null || true + exit $SAVESTAT +} stty $savestty 2>/dev/null || true echo PRECIOUS_FILES=$(($PRECIOUS_FILES + 1)) -- 2.43.0
Bug#1066875: devscripts: debsign tries to parse gpg version from human-readable output, should use machine-readable output
Package: devscripts Version: 2.23.7 Tags: patch (this is also https://salsa.debian.org/debian/devscripts/-/merge_requests/394) debsign currently tries to determine the version of gpg by parsing the human-readable output of `gpg --version`. For use in scripts and other code, the GnuPG project prefers the use of machine-readable output, and has offered `--with-colons --list-config` for many versions (back at least to 1.3.5 according to /usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a lot of detail, including the actual version number: cfg:version:2.2.40 This mode of output is what is used by libgpgme to determine the version of gpg, so it is likely to remain stable and parseable. The attached patch converts debsign to use the machine-parseable format, rather than the human-readable format. This issue came up when experimenting with sequoia-chameleon-gnupg, which produces a human-readable string that doesn't match what debsign was checking for. (https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/61). they're fixing that now in the chameleon upstream, but it seems like debsign should be using the more robust approach anyway. Thanks for maintaining devscripts! --dkg From 6bed35a535962534883a5aa233cbbcbfc7b15624 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 14 Mar 2024 14:10:59 -0400 Subject: [PATCH] debsign: check gpg version with machine-parseable format debsign currently tries to determine the version of gpg by parsin the human-readable output of `gpg --version`. For use in scripts and other code, the GnuPG project prefers the use of machine-readable output, and has offered `--with-colons --list-config` for many versions (back at least to 1.3.5 according to /usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a lot of detail, including the actual version number: cfg:version:2.2.40 This mode of output is what is used by libgpgme to determine the version of gpg, so it is likely to remain stable and parseable. This change converts debsign to use the machine-parseable format, rather than the human-readable format. --- scripts/debsign.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/debsign.sh b/scripts/debsign.sh index 15b0dfc2..cc4d31ab 100755 --- a/scripts/debsign.sh +++ b/scripts/debsign.sh @@ -170,7 +170,7 @@ signfile() { ASCII_SIGNED_FILE="${UNSIGNED_FILE}.asc" (cat "$file" ; echo "") > "$UNSIGNED_FILE" -gpgversion=$($signcommand --version | head -n 1 | cut -d' ' -f3) +gpgversion=$($signcommand --with-colons --list-config | awk -F: '/^cfg:version:/ { print $3; exit }') gpgmajorversion=$(echo $gpgversion | cut -d. -f1) gpgminorversion=$(echo $gpgversion | cut -d. -f2) -- 2.43.0 signature.asc Description: PGP signature