[dpkg] 10/18: Dpkg::Source::Package: Check missing expected tarball signatures

Mon, 20 Apr 2020 18:10:26 -0700 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch master
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ca1cb131d8945d9d47871110f6a3010a501cd03a

commit ca1cb131d8945d9d47871110f6a3010a501cd03a
Author: Guillem Jover <[email protected]>
AuthorDate: Sun Mar 22 23:32:56 2020 +0100

    Dpkg::Source::Package: Check missing expected tarball signatures
    
    When the source package provides an upstream signing key, it is expected
    that the source package provides upstream tarball signatures. If not,
    then error out, to avoid building packages with the missing files, which
    tends to be very easy to get into.
---
 debian/changelog                  | 1 +
 scripts/Dpkg/Source/Package/V1.pm | 5 +++++
 scripts/Dpkg/Source/Package/V2.pm | 5 +++++
 3 files changed, 11 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b73e4b719..718e0c5dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ dpkg (1.20.1) UNRELEASED; urgency=medium
   * Perl modules:
     - Dpkg: Add a LICENSE section to the POD.
     - Dpkg::Source::Package: Add new get_upstream_signing_key() method.
+    - Dpkg::Source::Package: Check missing expected tarball signatures.
   * Build system:
     - Handle .git being a plain file when getting the dpkg tree version.
     - Add debian/changelog as a Changes file to the CPAN distribution.
diff --git a/scripts/Dpkg/Source/Package/V1.pm 
b/scripts/Dpkg/Source/Package/V1.pm
index 636a92452..24af1126e 100644
--- a/scripts/Dpkg/Source/Package/V1.pm
+++ b/scripts/Dpkg/Source/Package/V1.pm
@@ -420,6 +420,11 @@ sub do_build {
         $self->add_file($tarsign);
 
         $self->check_original_tarball_signature($dir, $tarsign);
+    } else {
+        my $key = $self->get_upstream_signing_key($dir);
+        if (-e $key) {
+            error(g_('upstream signing key but no upstream tarball 
signature'));
+        }
     }
 
     if ($sourcestyle =~ m/[kpKP]/) {
diff --git a/scripts/Dpkg/Source/Package/V2.pm 
b/scripts/Dpkg/Source/Package/V2.pm
index b6d7bf6dc..2ea1e4eba 100644
--- a/scripts/Dpkg/Source/Package/V2.pm
+++ b/scripts/Dpkg/Source/Package/V2.pm
@@ -440,6 +440,11 @@ sub _generate_patch {
 
         if (@origtarsigns) {
             $self->check_original_tarball_signature($dir, @origtarsigns);
+        } else {
+            my $key = $self->get_upstream_signing_key($dir);
+            if (-e $key) {
+                error(g_('upstream signing key but no upstream tarball 
signature'));
+            }
         }
     }
 

-- 
Dpkg.Org's dpkg

Reply via email to