Source: devscripts Source-Version: 2.17.0 Severity: important X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
Hi! The .buildinfo files were supposed to be signed, but dpkg-buildpackage didn't do that until dpkg 1.18.19. Even then, when we sign sources and those get referenced in the .buildinfo file, their checksums will not match as they have been changed. I've prepared a patch for dscverify to test the new dpkg, but debsign is still pending. Patch attached, please review. Thanks, Guillem
From 1579878c73e248f89d5619d893dab450fc6344fb Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Fri, 27 Jan 2017 14:02:44 +0100 Subject: [PATCH] dscverify: Add support for .buildinfo files Signed-off-by: Guillem Jover <guil...@debian.org> --- scripts/dscverify.1 | 11 +++++++---- scripts/dscverify.pl | 10 +++++----- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/scripts/dscverify.1 b/scripts/dscverify.1 index 48b41a25..1082147a 100644 --- a/scripts/dscverify.1 +++ b/scripts/dscverify.1 @@ -2,15 +2,17 @@ .SH NAME dscverify \- verify the validity of a Debian package .SH SYNOPSIS -\fBdscverify\fR [\fB\-\-keyring \fIkeyring\fR] ... \fIchanges_or_dsc_filename\fR ... +\fBdscverify\fR [\fB\-\-keyring \fIkeyring\fR] ... \fIchanges_or_buildinfo_or_dsc_filename\fR ... .SH DESCRIPTION \fBdscverify\fR checks that the GPG signatures on the given -\fI.changes\fR or \fI.dsc\fR files are good signatures made by keys in +\fI.changes\fR, \fI.buildinfo\fP or \fI.dsc\fR files are good signatures +made by keys in the current Debian keyrings, found in the \fIdebian-keyring\fR and \fIdebian-maintainers\fR packages. (Additional keyrings can be specified using the \fB--keyring\fR option any number of times.) It then checks that the -other files listed in the \fI.changes\fR or \fI.dsc\fR files have the +other files listed in the \fI.changes\fR, \fI.buildinfo\fP or \fI.dsc\fR +files have the correct sizes and checksums (MD5 plus SHA1 and SHA256 if the latter are present). The exit status is 0 if there are no problems and non-zero otherwise. @@ -28,7 +30,8 @@ first option given on the command-line. .TP \fB\-\-nosigcheck\fR, \fB\-\-no\-sig\-check\fR, \fB-u\fR Skip the signature verification step. That is, only verify the sizes and -checksums of the files listed in the \fI.changes\fR or \fI.dsc\fR files. +checksums of the files listed in the \fI.changes\fR, \fI.buildinfo\fP or +\fI.dsc\fR files. .TP \fB\-\-verbose\fR Do not suppress GPG output. diff --git a/scripts/dscverify.pl b/scripts/dscverify.pl index 97600856..8bc0857c 100755 --- a/scripts/dscverify.pl +++ b/scripts/dscverify.pl @@ -46,7 +46,7 @@ my $havegpg = first { !system('sh', '-c', "command -v $_ >/dev/null 2>&1") } qw sub usage { print <<"EOF"; -Usage: $progname [options] dsc-or-changes-file ... +Usage: $progname [options] changes-or-buildinfo-dsc-file ... Options: --help Display this message --version Display version and copyright information --keyring <keyring> @@ -213,7 +213,7 @@ sub process_file { } } - my @spec = map { split /\n/ } $out =~ /^Files:\s*\n((?:[ \t]+.*\n)+)/mgi; + my @spec = map { split /\n/ } $out =~ /^(?:Checksums-Md5|Files):\s*\n((?:[ \t]+.*\n)+)/mgi; unless (@spec) { xwarn "no file spec lines in $file\n"; return; @@ -342,7 +342,7 @@ sub process_file { close FILE; - if ($filename =~ /\.dsc$/ && $verify_sigs) { + if ($filename =~ /\.(?:dsc|buildinfo)$/ && $verify_sigs) { $sigcheck = check_signature $filename, @rings; if ($sigcheck) { xwarn "$filename failed signature check:\n$sigcheck"; @@ -358,7 +358,7 @@ sub process_file { } sub main { - @ARGV or xdie "no .changes or .dsc files specified\n"; + @ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n"; my @rings; @@ -416,7 +416,7 @@ sub main { 'verbose' => \$verbose, ) or do { usage; exit 1 }; - @ARGV or xdie "no .changes or .dsc files specified\n"; + @ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n"; @rings = get_rings @rings if $use_default_keyrings and $verify_sigs; -- 2.11.0
_______________________________________________ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel