Hi, > lintian: Check presence of upstream signature if signing key > available
So, I just had a go at implementing this. However, I think I'm misunderstanding something fundamental about how Lintian's Collect classes work. Namely, checks/changes-file.pm will only "see" .changes-related stuff; if I want to check the source package for whether the signing key exists I'll need a Lintian::Collect::Sourceā¦ but I can't quite see how to access that from within changes-file.pm. In concrete terms, I (obviously) cannot call $info->index_resolved_path. Any hints? WIP patch attached: commit 006256a6fb3bd13452180ca2abccacd3cd6762e4 Author: Chris Lamb <[email protected]> Date: Sat Jul 15 20:31:55 2017 +0100 checks/changes-file.desc | 6 ++++++ checks/changes-file.pm | 15 +++++++++++++++ checks/watch-file.pm | 7 ++----- data/common/signing-key-filenames | 5 +++++ debian/changelog | 3 +++ ...changes-file-missing-upstream-signature.changes.in | 18 ++++++++++++++++++ .../changes-file-missing-upstream-signature.desc | 4 ++++ ...hanges-file-missing-upstream-signature.orig.tar.gz | Bin 0 -> 105 bytes .../changes-file-missing-upstream-signature.tags | 1 + 9 files changed, 54 insertions(+), 5 deletions(-) Regards, -- ,''`. : :' : Chris Lamb, Debian Project Leader `. `'` [email protected] / chris-lamb.co.uk `-
>From 006256a6fb3bd13452180ca2abccacd3cd6762e4 Mon Sep 17 00:00:00 2001 From: Chris Lamb <[email protected]> Date: Sat, 15 Jul 2017 20:31:55 +0100 Subject: [PATCH] Check for the presence of a signature if an upstream signing key is present. (Closes: #833585) --- checks/changes-file.desc | 6 ++++++ checks/changes-file.pm | 15 +++++++++++++++ checks/watch-file.pm | 7 ++----- data/common/signing-key-filenames | 5 +++++ debian/changelog | 3 +++ ...changes-file-missing-upstream-signature.changes.in | 18 ++++++++++++++++++ .../changes-file-missing-upstream-signature.desc | 4 ++++ ...hanges-file-missing-upstream-signature.orig.tar.gz | Bin 0 -> 105 bytes .../changes-file-missing-upstream-signature.tags | 1 + 9 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 data/common/signing-key-filenames create mode 100644 t/changes/changes-file-missing-upstream-signature.changes.in create mode 100644 t/changes/changes-file-missing-upstream-signature.desc create mode 100644 t/changes/changes-file-missing-upstream-signature.orig.tar.gz create mode 100644 t/changes/changes-file-missing-upstream-signature.tags diff --git a/checks/changes-file.desc b/checks/changes-file.desc index 4506cccb1..c1fa0d6a4 100644 --- a/checks/changes-file.desc +++ b/checks/changes-file.desc @@ -179,3 +179,9 @@ Info: The distribution in the <tt>Changes</tt> field copied from <tt>debian/changelog</tt> indicates that this package was not intended to be released yet. Ref: #542747 + +Tag: signing-key-without-upstream-signature +Severity: important +Certainty: certain +Info: The packaging includes an upstream signing key but the signature for + one or more source tarballs are not included in your .changes file. diff --git a/checks/changes-file.pm b/checks/changes-file.pm index 4b56525f6..b128887e9 100644 --- a/checks/changes-file.pm +++ b/checks/changes-file.pm @@ -29,6 +29,7 @@ use Lintian::Data; use Lintian::Util qw(get_file_checksum); my $KNOWN_DISTS = Lintian::Data->new('changes-file/known-dists'); +my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames'); sub run { my (undef, undef, $info) = @_; @@ -175,12 +176,26 @@ sub run { check_maintainer($info->field('changed-by'), 'changed-by'); } + my $has_signing_key = 0; + for my $key_name ($SIGNING_KEY_FILENAMES->all) { + my $path = $info->index_resolved_path("debian/$key_name"); + if ($path and $path->is_file) { + $has_signing_key = 1; + last; + } + } + my $files = $info->files; my $path = readlink($info->lab_data_path('changes')); $path =~ s#/[^/]+$##; foreach my $file (keys %$files) { my $file_info = $files->{$file}; + if ($has_signing_key && $file =~ m/\.orig\./ && $file !~ m/\.asc^/) { + next if exists $files->index_resolved_path{"$file.asc"}; + tag 'signing-key-without-upstream-signaturew', "$file whut"; + } + # check section if ( ($file_info->{section} eq 'non-free') or ($file_info->{section} eq 'contrib')) { diff --git a/checks/watch-file.pm b/checks/watch-file.pm index bfa5d9293..ca651f030 100644 --- a/checks/watch-file.pm +++ b/checks/watch-file.pm @@ -28,6 +28,7 @@ use autodie; use Lintian::Tags qw(tag); our $WATCH_VERSION = Lintian::Data->new('watch-file/version', qr/\s*=\s*/o); +our $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames'); sub run { my (undef, undef, $info) = @_; @@ -185,12 +186,8 @@ sub run { tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification); if ($withgpgverification) { - my @key_names = ( - qw(upstream-signing-key.pgp upstream/signing-key.pgp - upstream/signing-key.asc) - ); my $found = 0; - for my $key_name (@key_names) { + for my $key_name ($SIGNING_KEY_FILENAMES->all) { my $path = $info->index_resolved_path("debian/$key_name"); if ($path and $path->is_file) { $found = 1; diff --git a/data/common/signing-key-filenames b/data/common/signing-key-filenames new file mode 100644 index 000000000..f358063e6 --- /dev/null +++ b/data/common/signing-key-filenames @@ -0,0 +1,5 @@ +# Manually maintained list of possible upstream signing key locations +# +upstream-signing-key.pgp +upstram/signing-key.pgp +upstream/signing-key.asc diff --git a/debian/changelog b/debian/changelog index cc52719f2..14a66aa32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,9 @@ lintian (2.5.52) UNRELEASED; urgency=medium + [NT] Remove check for missing versioned build-depends for dpkg and debhlper when using Build-Profiles. The necessary versions are now in oldstable. + * checks/changes-file.{desc,pm}: + + [CL] Check for the presence of a signature if an upstream signing + key is present. (Closes: #833585) * checks/copyright-file.{desc,pm}: + [CL] Rename copyright-contains-dh-make-perl-boilerplate to copyright-contains-automatically-extracted-boilerplate as it can diff --git a/t/changes/changes-file-missing-upstream-signature.changes.in b/t/changes/changes-file-missing-upstream-signature.changes.in new file mode 100644 index 000000000..81cc68606 --- /dev/null +++ b/t/changes/changes-file-missing-upstream-signature.changes.in @@ -0,0 +1,18 @@ +Format: 1.8 +Date: {$date} +Source: {$source} +Binary: {$source} +Architecture: source all +Version: {$version} +Distribution: unstable +Urgency: low +Maintainer: {$author} +Changed-By: {$author} +Files: + 98af6e193d7e1d5f5d893bd646aa0d8c 105 devel optional {$source}.orig.tar.gz +Checksums-Sha1: + 91b47e0803c00e5bc92a8201dd97a97ef3a2f46e 105 {$source}.log +Checksums-Sha256: + 0bd9e55cb2c0f67beaa2d79df0d7ec028ff89ff8ae3e3031bd35888b77bb54c1 105 {$source}.orig.tar.gz +Description: + {$source} - {$description} diff --git a/t/changes/changes-file-missing-upstream-signature.desc b/t/changes/changes-file-missing-upstream-signature.desc new file mode 100644 index 000000000..81ef38942 --- /dev/null +++ b/t/changes/changes-file-missing-upstream-signature.desc @@ -0,0 +1,4 @@ +Testname: changes-file-missing-upstream-signature +Version: 1.0 +Description: Check presence of a signature if we have an upstream signing key +Test-For: signing-key-without-upstream-signature diff --git a/t/changes/changes-file-missing-upstream-signature.orig.tar.gz b/t/changes/changes-file-missing-upstream-signature.orig.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..3bf374f45fef1924202611f0cd6891dc158ba046 GIT binary patch literal 105 zcmb2|=3oE;Cg!)Nw3!YW2)JI1^a^uOU!wS0Q;J9a;5$vGMn>1Gme0Drmj(ZcUFY^} zb?KM>eXhA%-#$Nl;+pd7UHuxiW(E82P4m_)j5>Gx`1JehWx*zb2(vFN)wLe888jFe E0E(6=<NyEw literal 0 HcmV?d00001 diff --git a/t/changes/changes-file-missing-upstream-signature.tags b/t/changes/changes-file-missing-upstream-signature.tags new file mode 100644 index 000000000..9d6cf4b7f --- /dev/null +++ b/t/changes/changes-file-missing-upstream-signature.tags @@ -0,0 +1 @@ +FIXME -- 2.13.2
