Hi, sorry for not answering earlier.
On Thu, Nov 07, 2019 at 12:51:26PM +0100, Agustin Martin wrote: > > On Mon, Jul 22, 2019 at 05:48:13PM +0100, James Clarke wrote: > > > On 22 Jul 2019, at 17:16, Agustin Martin <[email protected]> wrote: > > > > However, when using pdebuild --auto-debsign to sign files, only .changes > > > > file is signed, but not its _source.changes counterpart, which is the > > > > file > > > > I would have to upload. This results in pbuilder not creating properly > > > > uploadable packages once source-only uploads are mandatory for > > > > bullseye. > > > > This is why I use severity "important". > > I am attaching a minimal patch that just reverses check ordering, trying > source.changes first and arch.changes later. I have been also playing > with changes caring about SOURCE_ONLY_CHANGES, but they need more > ellaboration. Personally, I think we should just sign them both. I tend to agree with James in which I don't consider having pdebuild automatically sign is necessarily good practice, but guess it works in some cases. With that, signing both would both not break whoever is using this in some kind of automatic build system (I can imagine somebody running pdebuild and then automatically dput somewhere with binaries). And, one extra signature shouldn't bother anybody. I'm using undocumented (yay…) options of debsign to prevent messages about files already signed (the .dsc and .buildinfo in our case). Could you please see the following untested patch and share your opinions? --- a/pdebuild +++ b/pdebuild @@ -110,15 +110,20 @@ fi # do signing with optional key specifier if [ "${AUTO_DEBSIGN}" = "yes" ]; then unset DEBSIGN_PARAM || true + declare -a DEBSIGN_PARAM if [ -n "${DEBSIGN_KEYID}" ]; then - DEBSIGN_PARAM[1]="-k${DEBSIGN_KEYID}" + DEBSIGN_PARAM[${#DEBSIGN_PARAM[@]}]="-k${DEBSIGN_KEYID}" fi - if [ -f "${BUILDRESULT}/${CHANGES}" ]; then - DEBSIGN_PARAM[2]="${BUILDRESULT}/${CHANGES}" - elif [ -f "${BUILDRESULT}/${SOURCE_CHANGES}" ]; then - DEBSIGN_PARAM[2]="${BUILDRESULT}/${SOURCE_CHANGES}" - else - log.e "the .changes file can't be found, debsign not done" + DEBSIGN_PARAM[${#DEBSIGN_PARAM[@]}]="--no-re-sign" + DEBSIGN_PARAM[${#DEBSIGN_PARAM[@]}]="--" + for file in "$BUILDRESULT/$CHANGES" "$BUILDRESULT/$SOURCE_CHANGES"; do + if [ -f "$file" ]; then + DEBSIGN_PARAM[${#DEBSIGN_PARAM[@]}]="$file" + found=yes + fi + done + if [ -z "${found:-}" ]; then + log.e "No .changes file(s) can't be found, debsign not done." exit 1 fi debsign "${DEBSIGN_PARAM[@]}" -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
