[dpkg] 02/16: Dpkg::Source::Package: Verify signatures before printing source files addition

[Guillem Jover]

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch main
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=16282d3bdc20e5e4fca8a53343d2c3510d4cbe69

commit 16282d3bdc20e5e4fca8a53343d2c3510d4cbe69
Author: Guillem Jover <guil...@debian.org>
AuthorDate: Mon Feb 7 00:31:42 2022 +0100

    Dpkg::Source::Package: Verify signatures before printing source files 
addition
    
    Even though we do not add these files until later, we should print the
    actions we are doing in an order that makes sense, which is first
    signature verification, then file addition.
---
 scripts/Dpkg/Source/Package/V1.pm |  6 +++---
 scripts/Dpkg/Source/Package/V2.pm | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/Dpkg/Source/Package/V1.pm 
b/scripts/Dpkg/Source/Package/V1.pm
index a33ce362d..e65214195 100644
--- a/scripts/Dpkg/Source/Package/V1.pm
+++ b/scripts/Dpkg/Source/Package/V1.pm
@@ -430,11 +430,11 @@ sub do_build {
         }
     }
     if ($tarsign and -e $tarsign) {
-        info(g_('building %s using existing %s'), $sourcepackage, $tarsign);
-        $self->add_file($tarsign);
-
         info(g_('verifying %s using existing %s'), $tarname, $tarsign);
         $self->check_original_tarball_signature($dir, $tarsign);
+
+        info(g_('building %s using existing %s'), $sourcepackage, $tarsign);
+        $self->add_file($tarsign);
     } else {
         my $key = $self->get_upstream_signing_key($dir);
         if (-e $key) {
diff --git a/scripts/Dpkg/Source/Package/V2.pm 
b/scripts/Dpkg/Source/Package/V2.pm
index d8e81b0bf..3018b55a1 100644
--- a/scripts/Dpkg/Source/Package/V2.pm
+++ b/scripts/Dpkg/Source/Package/V2.pm
@@ -437,11 +437,6 @@ sub _generate_patch {
           $self->_upstream_tarball_template()) unless $tarfile;
 
     if ($opts{usage} eq 'build') {
-        foreach my $origtarfile (@origtarfiles) {
-            info(g_('building %s using existing %s'),
-                 $self->{fields}{'Source'}, $origtarfile);
-        }
-
         if (@origtarsigns) {
             $self->check_original_tarball_signature($dir, @origtarsigns);
         } else {
@@ -450,6 +445,11 @@ sub _generate_patch {
                 warning(g_('upstream signing key but no upstream tarball 
signature'));
             }
         }
+
+        foreach my $origtarfile (@origtarfiles) {
+            info(g_('building %s using existing %s'),
+                 $self->{fields}{'Source'}, $origtarfile);
+        }
     }
 
     # Unpack a second copy for comparison

-- 
Dpkg.Org's dpkg