Package: dput-ng Version: 1.15 Severity: wishlist Tags: patch Instead of complaining about a missing signature, let’s pro-actively create one, just like dpkg-buildpackage.
-- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, mipsel, arm64 Kernel: Linux 4.13.0-1-amd64 (SMP w/12 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dput-ng depends on: ii python 2.7.13-2 ii python-dput 1.15 Versions of packages dput-ng recommends: ii bash-completion 1:2.1-4.3 ii python-paramiko 2.0.0-1 dput-ng suggests no packages. -- no debconf information
>From 711c5416497218acf43bd43ea4b8d45b998eb5f2 Mon Sep 17 00:00:00 2001 From: Michael Stapelberg <stapelb...@debian.org> Date: Tue, 31 Oct 2017 21:19:33 +0100 Subject: [PATCH 2/2] gpg: run debsign on unsigned changes files --- dput/changes.py | 10 +++++----- dput/exceptions.py | 5 ++++- dput/hooks/gpg.py | 53 +++++++++++++++++++++++++++++++++-------------------- 3 files changed, 42 insertions(+), 26 deletions(-) diff --git a/dput/changes.py b/dput/changes.py index a79315d..e2b1491 100644 --- a/dput/changes.py +++ b/dput/changes.py @@ -256,7 +256,6 @@ class Changes(object): # contains verbose human readable GPG information if self.is_python3: gpg_output_stderr = str(gpg_output_stderr, encoding='utf8') - print(gpg_output_stderr) if self.is_python3: gpg_output = gpg_output.decode(encoding='UTF-8') @@ -264,14 +263,15 @@ class Changes(object): if gpg_output.count('[GNUPG:] GOODSIG'): pass elif gpg_output.count('[GNUPG:] BADSIG'): - raise ChangesFileException("Bad signature") + raise ChangesFileException("Bad signature", gpg_output_stderr) elif gpg_output.count('[GNUPG:] ERRSIG'): - raise ChangesFileException("Error verifying signature") + raise ChangesFileException("Error verifying signature", + gpg_output_stderr) elif gpg_output.count('[GNUPG:] NODATA'): - raise ChangesFileException("No signature on") + raise ChangesFileException("No signature on", gpg_output_stderr) else: raise ChangesFileException( - "Unknown problem while verifying signature" + "Unknown problem while verifying signature", gpg_output_stderr ) key = None diff --git a/dput/exceptions.py b/dput/exceptions.py index 1817b7a..44d7651 100644 --- a/dput/exceptions.py +++ b/dput/exceptions.py @@ -64,7 +64,10 @@ class ChangesFileException(DputError): Thrown when there's an error processing / verifying a .changes file (most often via the :class:`dput.changes.Changes` object) """ - pass + + def __init__(self, message, gpg_stderr=None): + super(ChangesFileException, self).__init__(message) + self.gpg_stderr = gpg_stderr class DscFileException(DputError): diff --git a/dput/hooks/gpg.py b/dput/hooks/gpg.py index 71fddc5..7e277f6 100644 --- a/dput/hooks/gpg.py +++ b/dput/hooks/gpg.py @@ -18,6 +18,10 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301, USA. +import os +import subprocess + +import dput.changes from dput.core import logger from dput.exceptions import (ChangesFileException, HookException) @@ -65,25 +69,34 @@ def check_gpg_signature(changes, profile, interface): try: key = changes.validate_signature() - if 'allowed_keys' in gpg: - allowed_keys = gpg['allowed_keys'] - - found = False - for k in allowed_keys: - if k == key[-len(k):]: - logger.info("Key %s is trusted to upload to this host." % ( - k - )) - found = True - - if not found: - raise GPGCheckerError("Key %s is not in %s" % ( - key, - allowed_keys + except ChangesFileException as e: + # Sign unsigned files using debsign: + changes_file = changes.get_changes_file() + if subprocess.call(['debsign', changes_file]) == 0: + changes = dput.changes.parse_changes_file( + changes_file, + os.path.dirname(changes_file) + ) + try: + key = changes.validate_signature() + except ChangesFileException as e: + if e.gpg_stderr: + print e.gpg_stderr + raise e + + if 'allowed_keys' in gpg: + allowed_keys = gpg['allowed_keys'] + + found = False + for k in allowed_keys: + if k == key[-len(k):]: + logger.info("Key %s is trusted to upload to this host." % ( + k )) + found = True - except ChangesFileException as e: - raise GPGCheckerError( - "No valid signature on %s: %s" % (changes.get_filename(), - e) - ) + if not found: + raise GPGCheckerError("Key %s is not in %s" % ( + key, + allowed_keys + )) -- 2.14.2