* Johannes Schauer Marin Rodrigues: " Re: Bug#977674: Corrupt changes file when built with --source-only-changes" (Mon, 25 Jan 2021 17:45:29 +0100):
Hi Josh, > I got a bit further on this bug. Big thanks for taking a look. > The problem is, that when you combine --source-only-changes with --keyid, then > debsign will be run twice (once for the normal changes file and once for the > source-only changes file) and both times with --re-sign. This means, that the > second invocation will possibly also change the signature of files that were > already processed by the first invocation and this means that the checksum of > the first changes file doesn't match anymore. That sounds exactly like the problem I have. > To fix the problem, one might suggest to just run the second invocation of > debsign with --no-re-sign so that everything that is already signed does not > get changed and only those things that don't have a signature get signed. > > But this triggers a bug in debsign where the dsc will not even be considered > for signing if the buildinfo was already signed. Consider this code from > debsign: > > maybesign_buildinfo() { > [...] > if check_already_signed "$buildinfo" "buildinfo"; then > echo "Leaving current signature unchanged." >&2 > return > fi > > if [ -n "$dsc" ]; then > maybesign_dsc "$signas" "$remotehost" "$dsc" > withtempfile buildinfo "$buildinfo" fixup_buildinfo "$dsc" > fi > [...] > > As you can see, the function will return immediately without checking the dsc > if the buildinfo is already signed. > > This code was introduced in devscripts back in 2017, so you can see that I was > correct when I said that the sbuild codepath of combining > --source-only-changes with --keyid is indeed seldom used. Yes, the real use case appeared with mandatory source only uploads. On one side I need the source only changes for uploads to ftp.debian.org, on the other side I need binaries with according changes files suitable for testing and upload to the backports reprepro. > I reported this as devscripts bug #981021 but I suggest that you have a look > into it or I fear that the chances of $somebody doing the work for us are > slim. Will have a look ASAP. > Thanks! Thanks to you! Cheers Mathias -- Mathias Behrle PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6 AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6