* Johannes Schauer Marin Rodrigues: " Re: Bug#977674: Corrupt changes file when
built with --source-only-changes" (Mon, 25 Jan 2021 17:45:29 +0100):
Hi Josh,
> I got a bit further on this bug.
Big thanks for taking a look.
> The problem is, that when you combine --source-only-changes with --keyid, then
> debsign will be run twice (once for the normal changes file and once for the
> source-only changes file) and both times with --re-sign. This means, that the
> second invocation will possibly also change the signature of files that were
> already processed by the first invocation and this means that the checksum of
> the first changes file doesn't match anymore.
That sounds exactly like the problem I have.
> To fix the problem, one might suggest to just run the second invocation of
> debsign with --no-re-sign so that everything that is already signed does not
> get changed and only those things that don't have a signature get signed.
>
> But this triggers a bug in debsign where the dsc will not even be considered
> for signing if the buildinfo was already signed. Consider this code from
> debsign:
>
> maybesign_buildinfo() {
> [...]
> if check_already_signed "$buildinfo" "buildinfo"; then
> echo "Leaving current signature unchanged." >&2
> return
> fi
>
> if [ -n "$dsc" ]; then
> maybesign_dsc "$signas" "$remotehost" "$dsc"
> withtempfile buildinfo "$buildinfo" fixup_buildinfo "$dsc"
> fi
> [...]
>
> As you can see, the function will return immediately without checking the dsc
> if the buildinfo is already signed.
>
> This code was introduced in devscripts back in 2017, so you can see that I was
> correct when I said that the sbuild codepath of combining
> --source-only-changes with --keyid is indeed seldom used.
Yes, the real use case appeared with mandatory source only uploads.
On one side I need the source only changes for uploads to ftp.debian.org, on
the other side I need binaries with according changes files suitable for testing
and upload to the backports reprepro.
> I reported this as devscripts bug #981021 but I suggest that you have a look
> into it or I fear that the chances of $somebody doing the work for us are
> slim.
Will have a look ASAP.
> Thanks!
Thanks to you!
Cheers
Mathias
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
