Package: devscripts
Version: 2.20.4
Severity: normal
According to Debian Bullseye manpage "debsign" should handle the
"DEBSIGN_PROGRAM" environment variable as follows:
DEBSIGN_PROGRAM
Setting this is equivalent to giving a -p option.
The "-p" should replace the gpg program:
-pprogname
When debsign needs to execute GPG to sign it will run progname
(searching the PATH if necessary), instead of gpg.
When invoking
21086 execve("/usr/bin/debsign", ["debsign",
"guerillabackup_0.0.2-1_amd64.changes"], ["LC_CTYPE=C.UTF-8", "TERM=screen",
"DEBSIGN_PROGRAM=/usr/bin/gpg-alt", ... ]) = 0
It will truncate the environment variable when invoking other binaries:
21090 execve("/usr/bin/egrep", ["egrep", "^(DEBSIGN|DEBRELEASE|DEVSCRIPTS)_"],
[""DEBSIGN_PROGRAM=", "DEB_BUILD_GNU_TYPE=x86_64-linux-gnu", ...
debsign will then fork twice:
21086 clone(child_stack=NULL,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7f2b53791850) = 21120
21120 clone(child_stack=NULL,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7f2b53791850) = 21121
before calling the wrong gpg executable to get version and later on
for signing:
21121 execve("/usr/bin/gpg", ["gpg", "--version"],
["DEB_HOST_GNU_SYSTEM=linux-gnu", "DEB_BUILD_ARCH_BITS=64", ...
"DEBSIGN_PROGRAM=", "DEB_BUILD_GNU_TYPE=x86_64-linux-gnu", ...]) = 0
