[dpkg] 01/02: Dpkg::Source::Package: Make import_key() call honor require_valid_signature

Sun, 28 Jun 2020 08:24:35 -0700 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch master
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=a676dcade15172dccf92cb7677e0bbf8119fe1a7

commit a676dcade15172dccf92cb7677e0bbf8119fe1a7
Author: Guillem Jover <[email protected]>
AuthorDate: Sun Jun 28 16:33:03 2020 +0200

    Dpkg::Source::Package: Make import_key() call honor require_valid_signature
    
    The call to import_key() in check_original_tarball_signature() did not
    pass the require_valid_signature option, so it was always considering
    problems as fatal, while that option defaults to false.
    
    Reported-by: Mattia Rizzolo <[email protected]>
---
 debian/changelog               |  3 +++
 scripts/Dpkg/Source/Package.pm | 15 ++++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 85792bb8a..427020380 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,9 @@ dpkg (1.20.3) UNRELEASED; urgency=medium
     - Dpkg::Build::Info: Clarify by giving context to the
       get_build_env_whitelist() deprecation warning. Closes: #963844
       Reported by Sven Joachim <[email protected]>.
+    - Dpkg::Source::Package: Fix check_original_tarball_signature() to make
+      import_key() honor require_valid_signature, which should default to
+      false. Reported by Mattia Rizzolo <[email protected]>.
 
   [ Updated programs translations ]
   * German (Sven Joachim).
diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm
index 28c207d7e..fc9f4b123 100644
--- a/scripts/Dpkg/Source/Package.pm
+++ b/scripts/Dpkg/Source/Package.pm
@@ -429,15 +429,20 @@ sub check_original_tarball_signature {
     }
 
     my $keyring = File::Temp->new(UNLINK => 1, SUFFIX => '.gpg');
-    Dpkg::OpenPGP::import_key($upstream_key, keyring => $keyring);
-
     my %opts = (
-        keyrings => [ $keyring ],
         require_valid_signature => $self->{options}{require_valid_signature},
     );
+    Dpkg::OpenPGP::import_key($upstream_key,
+        %opts,
+        keyring => $keyring,
+    );
+
     foreach my $asc (@asc) {
-        $opts{datafile} = $asc =~ s/\.asc$//r;
-        Dpkg::OpenPGP::verify_signature($asc, %opts);
+        Dpkg::OpenPGP::verify_signature($asc,
+            %opts,
+            keyrings => [ $keyring ],
+            datafile => $asc =~ s/\.asc$//r,
+        );
     }
 }
 

-- 
Dpkg.Org's dpkg

Reply via email to