Package: devscripts
Version: 2.14.10
Severity: normal
Tags: patch
Dear Maintainer,
when gpg2 2.1 is installed (currently available in debian
experimental), uscan --verbose fails to check the upstream signature
when the upstream signing key is ascii-armored.
The attached patch should resolve the issue.
Regards,
--dkg
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
Not present
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages devscripts depends on:
ii dpkg-dev 1.17.13
ii libc6 2.19-12
ii perl 5.20.1-2
ii python3 3.4.2-1
pn python3:any <none>
Versions of packages devscripts recommends:
ii at 3.1.16-1
ii curl 7.38.0-2
ii dctrl-tools 2.23
ii debian-keyring 2014.08.31
ii dput-ng [dput] 1.8
ii dupload 2.7.0
pn equivs <none>
ii fakeroot 1.20.2-1
ii file 1:5.20-1
ii gnupg 1.4.18-4
ii libdistro-info-perl 0.13
ii libencode-locale-perl 1.03-1
ii libjson-perl 2.61-1
ii liblwp-protocol-https-perl 6.06-2
ii libparse-debcontrol-perl 2.005-4
pn libsoap-lite-perl <none>
ii liburi-perl 1.64-1
ii libwww-perl 6.08-1
ii lintian 2.5.30
ii man-db 2.7.0.2-2
ii patch 2.7.1-6
ii patchutils 0.3.3-1
ii python3-debian 0.1.24
pn python3-magic <none>
ii sensible-utils 0.0.9
ii strace 4.9-2
ii unzip 6.0-12
ii wdiff 1.2.2-1
ii wget 1.15-1+b1
ii xz-utils 5.1.1alpha+20120614-2
Versions of packages devscripts suggests:
ii build-essential 11.7
pn cvs-buildpackage <none>
ii devscripts-el 35.12
pn gnuplot <none>
ii gpgv 1.4.18-4
ii heirloom-mailx [mailx] 12.5-3
pn libauthen-sasl-perl <none>
pn libfile-desktopentry-perl <none>
ii libnet-smtp-ssl-perl 1.01-3
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
ii mailutils [mailx] 1:2.99.98-2
pn mutt <none>
ii openssh-client [ssh-client] 1:6.7p1-2
ii svn-buildpackage 0.8.5+nmu1
ii w3m 0.5.3-17
-- debconf-show failed
>From dd7b60948caa34ca8d7af8bc4d8a5a4db68ca2ec Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <[email protected]>
Date: Thu, 6 Nov 2014 12:08:31 -0500
Subject: [PATCH] explicitly dearmor, rather than --import upstream signing key
gnupg 2.1 handles --import by generating a pubring.kbx file, not a
pubring.gpg file. So when gnupg 2.1 is installed verifying upstream
signatures failed when the upstream signing key was ascii-armored.
With this patch, we explicitly dearmor the .asc, rather than relying
on side effects that aren't true for all gpg versions.
---
scripts/uscan.pl | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 4456a7c..8c79b3a 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -872,9 +872,10 @@ sub process_watchline ($$$$$$)
}
# Need to convert an armored key to binary for use by gpgv
$gpghome = tempdir(CLEANUP => 1);
- spawn(exec => [$havegpg, '--homedir', $gpghome, '--no-options', '-q', '--batch', '--no-default-keyring', '--import', $keyring],
+ my $newkeyring = "$gpghome/trustedkeys.gpg";
+ spawn(exec => [$havegpg, '--homedir', $gpghome, '--no-options', '-q', '--batch', '--no-default-keyring', , '--output', $newkeyring, '--dearmor', $keyring],
wait_child => 1);
- $keyring = "$gpghome/pubring.gpg";
+ $keyring = $newkeyring
}
}
--
2.1.1
_______________________________________________
devscripts-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
