Hi, I got a bit further on this bug.
The problem is, that when you combine --source-only-changes with --keyid, then
debsign will be run twice (once for the normal changes file and once for the
source-only changes file) and both times with --re-sign. This means, that the
second invocation will possibly also change the signature of files that were
already processed by the first invocation and this means that the checksum of
the first changes file doesn't match anymore.
To fix the problem, one might suggest to just run the second invocation of
debsign with --no-re-sign so that everything that is already signed does not
get changed and only those things that don't have a signature get signed.
But this triggers a bug in debsign where the dsc will not even be considered
for signing if the buildinfo was already signed. Consider this code from
debsign:
maybesign_buildinfo() {
[...]
if check_already_signed "$buildinfo" "buildinfo"; then
echo "Leaving current signature unchanged." >&2
return
fi
if [ -n "$dsc" ]; then
maybesign_dsc "$signas" "$remotehost" "$dsc"
withtempfile buildinfo "$buildinfo" fixup_buildinfo "$dsc"
fi
[...]
As you can see, the function will return immediately without checking the dsc
if the buildinfo is already signed.
This code was introduced in devscripts back in 2017, so you can see that I was
correct when I said that the sbuild codepath of combining --source-only-changes
with --keyid is indeed seldom used.
I reported this as devscripts bug #981021 but I suggest that you have a look
into it or I fear that the chances of $somebody doing the work for us are slim.
Thanks!
cheers, josch
signature.asc
Description: signature
