This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=3821f024d92aabf24a333025c1c1956d8a45e718 commit 3821f024d92aabf24a333025c1c1956d8a45e718 Author: Guillem Jover <[email protected]> AuthorDate: Wed May 1 23:23:03 2019 +0200 Dpkg::Source::Package: Verify original tarball signatures at build time When we are building the source package, while detecting whether there is any original upstream tarball signature to be included in the .dsc, it's the best time to verify them, so that when the .dsc gets eventually signed there's a certification path for the maintainer that they are including what they expected to be there. --- debian/changelog | 2 ++ scripts/Dpkg/Source/Package.pm | 36 ++++++++++++++++++++++++++++++++++-- scripts/Dpkg/Source/Package/V1.pm | 2 ++ scripts/Dpkg/Source/Package/V2.pm | 4 ++++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 168e2d281..16428b983 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ dpkg (1.20.0) UNRELEASED; urgency=medium to specify multiple packages. Closes: #926669 Based on a patch by Frank Schaefer <[email protected]>. * perl: Remove support for versioned GnuPG 2 program and packages. + * Perl modules: + - Dpkg::Source::Package: Verify original tarball signatures at build time. * Documentation: - man: Fix uncommon wording constructs. * Code internals: diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm index e7c4fb22d..35bdbafa1 100644 --- a/scripts/Dpkg/Source/Package.pm +++ b/scripts/Dpkg/Source/Package.pm @@ -1,5 +1,5 @@ # Copyright © 2008-2011 Raphaël Hertzog <[email protected]> -# Copyright © 2008-2015 Guillem Jover <[email protected]> +# Copyright © 2008-2019 Guillem Jover <[email protected]> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -34,7 +34,7 @@ is the one that supports the extraction of the source package. use strict; use warnings; -our $VERSION = '1.03'; +our $VERSION = '1.04'; our @EXPORT_OK = qw( get_default_diff_ignore_regex set_default_diff_ignore_regex @@ -44,6 +44,7 @@ our @EXPORT_OK = qw( use Exporter qw(import); use POSIX qw(:errno_h :sys_wait_h); use Carp; +use File::Temp; use File::Copy qw(cp); use File::Basename; @@ -403,6 +404,33 @@ sub find_original_tarballs { return @tar; } +=item $p->check_original_tarball_signature($dir, @asc) + +Verify the original upstream tarball signatures @asc using the upstream +public keys. It requires the origin upstream tarballs, their signatures +and the upstream signing key, as found in an unpacked source tree $dir. +If any inconsistency is discovered, it immediately errors out. + +=cut + +sub check_original_tarball_signature { + my ($self, $dir, @asc) = @_; + + my $upstream_key = "$dir/debian/upstream/signing-key.asc"; + if (not -e $upstream_key) { + warning(g_('upstream tarball signatures but no upstream signing key')); + return; + } + + my $keyring = File::Temp->new(UNLINK => 1, SUFFIX => '.gpg'); + Dpkg::OpenPGP::import_key($upstream_key, keyring => $keyring); + foreach my $asc (@asc) { + Dpkg::OpenPGP::verify_signature($asc, + datafile => $asc =~ s/\.asc$//r, + keyrings => [ $keyring ]); + } +} + =item $bool = $p->is_signed() Returns 1 if the DSC files contains an embedded OpenPGP signature. @@ -632,6 +660,10 @@ sub write_dsc { =head1 CHANGES +=head2 Version 1.04 (dpkg 1.20.0) + +New method: check_original_tarball_signature(). + =head2 Version 1.03 (dpkg 1.19.3) New option: format in new(). diff --git a/scripts/Dpkg/Source/Package/V1.pm b/scripts/Dpkg/Source/Package/V1.pm index ff683af21..d91cea03b 100644 --- a/scripts/Dpkg/Source/Package/V1.pm +++ b/scripts/Dpkg/Source/Package/V1.pm @@ -418,6 +418,8 @@ sub do_build { if ($tarsign and -e $tarsign) { info(g_('building %s using existing %s'), $sourcepackage, $tarsign); $self->add_file($tarsign); + + $self->check_original_tarball_signature($tarsign); } if ($sourcestyle =~ m/[kpKP]/) { diff --git a/scripts/Dpkg/Source/Package/V2.pm b/scripts/Dpkg/Source/Package/V2.pm index db9bd3e71..3da317550 100644 --- a/scripts/Dpkg/Source/Package/V2.pm +++ b/scripts/Dpkg/Source/Package/V2.pm @@ -401,6 +401,7 @@ sub _generate_patch { my ($tarfile, %addonfile); my $comp_ext_regex = compression_get_file_extension_regex(); my @origtarfiles; + my @origtarsigns; foreach my $file (sort $self->find_original_tarballs()) { if ($file =~ /\.orig\.tar\.$comp_ext_regex$/) { if (defined($tarfile)) { @@ -423,6 +424,7 @@ sub _generate_patch { } if (-e "$file.asc") { push @origtarfiles, "$file.asc"; + push @origtarsigns, "$file.asc"; $self->add_file("$file.asc") } } @@ -435,6 +437,8 @@ sub _generate_patch { info(g_('building %s using existing %s'), $self->{fields}{'Source'}, $origtarfile); } + + $self->check_original_tarball_signature(@origtarsigns); } # Unpack a second copy for comparison -- Dpkg.Org's dpkg
