On Mon, Jul 14, 2025 at 09:52:41AM +0200, Uwe Kleine-König wrote: > Package: devscripts > Version: 2.25.15 > Severity: serious > File: /usr/bin/uscan > X-Debbugs-Cc: [email protected], [email protected] > > Hello, > > the linux-kernel packages suffer from upstream still relying on SHA-1 in > their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz > (as expected) when sopv is used to verify the download: > > uwe@taurus:~/debpkg/linux$ uscan --download-current-version > uscan warn: Using stable remote origin > Newest version of linux on remote site is 6.16~rc5, specified download > version is 6.16~rc5 > No acceptable signatures found > uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig > debian/upstream/signing-key.asc subprocess returned exit status 3 > > However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the > next uscan run succeed even though the signature check didn't pass: > > uwe@taurus:~/debpkg/linux$ uscan --download-current-version > uscan warn: Using stable remote origin > Newest version of linux on remote site is 6.16~rc5, specified download > version is 6.16~rc5 > uscan warn: File already downloaded, skipping OpenPGP verification > Successfully repacked ../linux-6.16~rc5.tar.xz as > ../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it. > > Without `--skip-signature` this must not happen and the warning isn't > enough. > > The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a > tmpfile only (i.e. under a different name) until signature verification > passed; or to not skip the verification in the 2nd run.
My perl foo isn't enough to implement the first suggestion (which IMHO
is superior), untested patch for the second:
diff --git a/lib/Devscripts/Uscan/WatchSource.pm
b/lib/Devscripts/Uscan/WatchSource.pm
index 382d3a0b122f..974589c1973d 100644
--- a/lib/Devscripts/Uscan/WatchSource.pm
+++ b/lib/Devscripts/Uscan/WatchSource.pm
@@ -1128,7 +1128,6 @@ our %already_downloaded;
sub download_file_and_sig {
my ($self) = @_;
uscan_debug "line: download_file_and_sig()";
- my $skip_git_vrfy;
# If we're not downloading or performing signature verification, we can
# stop here
@@ -1180,7 +1179,6 @@ sub download_file_and_sig {
$download_available = 1;
dehs_verbose
"Not downloading, using existing file: $self->{newfile_base}\n";
- $skip_git_vrfy = 1;
} elsif ($self->shared->{download} > 0) {
uscan_verbose "Downloading upstream package: $upstream_base";
$download_available = $self->downloader->download(
@@ -1442,10 +1440,7 @@ sub download_file_and_sig {
} elsif ($self->pgpmode eq 'auto') {
uscan_verbose "Don't check OpenPGP signature";
} elsif ($self->pgpmode eq 'gittag') {
- if ($skip_git_vrfy) {
- uscan_warn
- "File already downloaded, skipping OpenPGP verification";
- } elsif (!$self->keyring) {
+ if (!$self->keyring) {
uscan_warn "No keyring file, skipping OpenPGP verification";
return $self->status(1);
} else {
Seeing that code snippet, I wonder if failing would also be the saner
option if no keyring is available.
Best regards
Uwe
signature.asc
Description: PGP signature
