Your message dated Tue, 07 Jul 2020 06:33:49 +0000
with message-id <[email protected]>
and subject line Bug#964017: fixed in dpkg 1.20.4
has caused the Debian Bug report #964017,
regarding Dpkg::Source::Package:new require_valid_signature => 0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964017
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:dpkg
Version: 1.20.2
User: [email protected]
Usertags: breaks
Affects: dgit
Hi. My grep-excuses says:
> autopkgtest regression
> in dgit (9.11) on amd64
> due to dpkg (1.19.7 to 1.20.2)
> test info
> REGRESSION
> https://ci.debian.net/data/autopkgtest/testing/amd64/d/dgit/6073505/log.gz
> https://ci.debian.net/packages/d/dgit/testing/amd64
> null
> https://ci.debian.net/api/v1/retry/6073505
The relevant part of the log says:
+ dgit --dgit=dgit --dget:-u
--dput:--config=/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/dput.cf
--config-lookup-explode=dgit-distro.debian.alias-canon -dtest-dummy -D
-kBCD22CD83243B79D3DFAC33EA3DBCBC039B13D8A import-dsc
../mirror/pool/main/example_1.2.dsc t.1.2
| git rev-parse --show-toplevel
=> `/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/example'
| git config -z --get-regexp --local '.*'
| git config -z --get-regexp --local '.*'
| git config -z --get-regexp --global '.*'
| git config -z --get-regexp --system '.*'
| git check-ref-format --normalize refs/heads/t.1.2
=> `refs/heads/t.1.2'
| git symbolic-ref -q HEAD
=> `refs/heads/master'
| git for-each-ref '--format=%(objectname)' '[r]efs/heads/t.1.2'
=> `'
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource
'/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/gnupg/trustedkeys.kbx':
General error
gpgv: Signature made Sun Jun 28 07:40:07 2020 UTC
gpgv: using RSA key BCD22CD83243B79D3DFAC33EA3DBCBC039B13D8A
gpgv: Can't check signature: No public key
dgit: error: failed to verify signature on ../mirror/pool/main/example_1.2.dsc
+ rc=255
+ set +x
%%%%%%%%%%%%%%%%%%%% EXITING 255 %%%%%%%%%%%%%%%%%%%%
Most relevant logs are just before assignment rc=255
Will now do cleanup etc.
The string "failed to verify signature" is not generated by code in
dgit. Looking at the code in dgit, I think the error happens here:
my $dp = new Dpkg::Source::Package filename => $dscfn,
require_valid_signature => $needsig;
{
local $SIG{__WARN__} = sub {
print STDERR $_[0];
return unless $needsig;
fail __ "import-dsc signature check failed";
};
if (!$dp->is_signed()) {
warn f_ "%s: warning: importing unsigned .dsc\n", $us;
} else {
my $r = $dp->check_signature();
confess "->check_signature => $r" if $needsig && $r;
}
}
I think this rather complex code is trying to deal with API
compatibility issues surrounding require_valid_signature etc. Anyway,
I think the message is generated by the call to
Dpkg::Source::Package::new. I think that function inserted $0 into
the error message.
I don't know why it is verifying the signature. I think in this
particular test $needsig is 0. I searched the code for the variable
and the only place dgit sets it trueish is if dgit import-dsc is
told --require-valid-signature.
So I don't know what a "trustedkeys.kbx" file is or why I need one
now. (dgit's test suite naturally has a set of test keys, so it has
its own idea of the public keys to use for signature verifications.
But this test case should not involve any of that.)
FYI this is currently preventing the migration of the new dpkg.
>From the above it seems to me that that migration block is correct
because src:dpkg has a regression here.
Thanks,
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.20.4
Done: Guillem Jover <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Jul 2020 07:57:48 +0200
Source: dpkg
Architecture: source
Version: 1.20.4
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Closes: 870383 964017 964111 964234
Changes:
dpkg (1.20.4) unstable; urgency=medium
.
[ Guillem Jover ]
* Improve PIE flags support:
- Prefix the specs file spec string self_spec with + instead of *.
This way we do not override any previous setting, otherwise when
passing the -specs options twice (f.ex. to compile and link), only the
last one will take effect, which can break the build. Closes: #870383
* Perl modules:
- Dpkg::Source::Package: Explicitly initialize constructor options to
their implicit values, otherwise other code end up assuming different
defaults. Closes: #964017
- Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir in
verify_signature(), to make sure we do not write to the user home
directory, except for the trustkeys.db file if present.
- Dpkg::Path: Refactor new check_directory_traversal() function out of
Dpkg::Source::Package->extract().
- Dpkg::Path: Do not do partial matches for directory traversal checks,
expect a trailing slash after the base directory name.
- Dpkg::Path: Catch uncanonicanizable pathnames with a proper error.
Closes: #964111
- Dpkg::Path: Do not consider missing symlink targets a directory
traversal attempt. Closes: #964234
- Dpkg::Path: Allow /dev/null for directory traversals.
Reported by Holger Levsen <[email protected]>.
* Build system:
- Add Module::Signature as configure recommends for CPAN.
* Test suite:
- Use File::Path::make_path() instead of chained mkdir() in Dpkg_Path.t.
- Add unit tests for Dpkg::Path::check_directory_traversal().
.
[ Updated programs translations ]
* German (Sven Joachim).
Checksums-Sha1:
12983dabc712157582b2bcff0c1b0e6f1de9e65c 2109 dpkg_1.20.4.dsc
41a445efe3c51e07b38948defd51e601683a5448 4715020 dpkg_1.20.4.tar.xz
413c302f34195f09a53ef23943c9ebda3f811802 7501 dpkg_1.20.4_amd64.buildinfo
Checksums-Sha256:
2762a810d5c151316d170bc0ab6e610283e6454c5df5c34edd2fd33d0c79a64a 2109
dpkg_1.20.4.dsc
3430d76d75b66eeccad8382dad7148e6f46fedce90587964608f0c5c733abe52 4715020
dpkg_1.20.4.tar.xz
e78395058970d3c8dc03b462de8459104fbe12edc71f88af9c0617264da2bc2b 7501
dpkg_1.20.4_amd64.buildinfo
Files:
19ca3ea2f56ee6cf181a4e5dc14e16e6 2109 admin required dpkg_1.20.4.dsc
58f92b5d3d464629119148a1fa3eb331 4715020 admin required dpkg_1.20.4.tar.xz
6b8be7267af03c5acb91430f3d8e2325 7501 admin required
dpkg_1.20.4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAl8EET0ACgkQuXK/PqSu
V6Ms6g//Y1YBiJHcObBffo1yrWIVQxmDJx1V52NMjMQcZiJEoRDsCkHJzoBoeyHq
VzI807ztMGXpr4P9+2kdgN1N0JcG6vKEB/VtnIbNdoEmIx13RoBM5WVnG04oRevL
Sh6lCsFkET/in71O/CO6hpMV5KsNaoXuiLsJwZ3ggTeuKBinRhlCRfphU28gM8hE
8HvM+oBnitmuCLItoOT9MUps4B0LU1cCLf+mpsbKcJiTIZinbH8EyDx5BvNxf4fe
avX2++4WTJirlesXkkOh3A/PjwRER6QGJqV24unDDjStQSab2TVKKk5pmna+V0kT
ifI8qqOvLDbflT7MAyOklHTxnVK6TDUNSSNC+CyzO/g+vDuFweIpNQF7fcbtMT8w
HF37am4F6UjiQiVpKEAhlVPK1dunG37IYZAQWAY069ywQ48WJPc9KdsbuEPSqH8J
oAdrdx4OFLwz4KD9c31mMnzPzmJjWNtNMf/rxh0/fHypSbftF1ylVHcmVdy0mk7t
9JdHTS3PV37aQnOS4O450IujaUrbBkSU56By+jfsKaDW9W/nsk0+M2MHHAHfvV4f
qNjopmgDbi8CwIZcf8z4aWbXNSWstMa1fXrDQvMPsCDd20qeH9N6Cb//800l5/jF
E00ilFm/yykwBgBJxR/ujv7R0sWB3oxnXAN9cMT9cAB8qR2A1ZA=
=ra/4
-----END PGP SIGNATURE-----
--- End Message ---
