https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8086
Bug ID: 8086
Summary: Obsolete gpg and gpg-agent options used in build
scripts
Product: Spamassassin
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Building & Packaging
Assignee: dev@spamassassin.apache.org
Reporter: sid...@sidney.com
Target Milestone: Undefined
The commands used for signing our builds are using obsolete options.
The sabuildtools directory we have been using contains files named "options" in
the included gpg home directories. The default file name for options now used
in gpg version 2.2 has been changed to gpg.conf. As a result, building with the
old files causes the gpg signature for the build output to be made using the
the wrong key from our keyring when the key specified in file "options" is
ignored.
This has only affected the GPG detached signatures in at least some of the
4.0.0 pre-releases and release candidates. Verifying the gpg signatures is
confusing enough that nobody noticed more than that the signature was valid and
came from the SpamAssassin PMC, and missed that it was not using the exact key
that we announced. The 3.4.6 release was signed correctly.
In addition, the build script has a command to launch gpg-agent and generate an
environment file. The write-env-file option is obsolete and is now a no-op. Gpg
now automatically launches gpg-agent when it is needed, so the gpg-agent
command in the script is unnecessary.
I'll update the script and add a note in the build README saying that gpg v2.2
or newer is required for signing.
Someone who is familiar with the rule update system should check if there is
any similar problem there, specifically whether there is a file named "options"
in the gpg homedir instead of gpg.conf, and if any commands are relying on it
for options instead of specifying them in the command line.
--
You are receiving this mail because:
You are the assignee for the bug.
