Source: devscripts
Source-Version: 2.17.0
Severity: important
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
Hi!
The .buildinfo files were supposed to be signed, but dpkg-buildpackage
didn't do that until dpkg 1.18.19. Even then, when we sign sources and
those get referenced in the .buildinfo file, their checksums will not
match as they have been changed.
I've prepared a patch for dscverify to test the new dpkg, but debsign
is still pending. Patch attached, please review.
Thanks,
Guillem
From 1579878c73e248f89d5619d893dab450fc6344fb Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Fri, 27 Jan 2017 14:02:44 +0100
Subject: [PATCH] dscverify: Add support for .buildinfo files
Signed-off-by: Guillem Jover <guil...@debian.org>
---
scripts/dscverify.1 | 11 +++++++----
scripts/dscverify.pl | 10 +++++-----
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/scripts/dscverify.1 b/scripts/dscverify.1
index 48b41a25..1082147a 100644
--- a/scripts/dscverify.1
+++ b/scripts/dscverify.1
@@ -2,15 +2,17 @@
.SH NAME
dscverify \- verify the validity of a Debian package
.SH SYNOPSIS
-\fBdscverify\fR [\fB\-\-keyring \fIkeyring\fR] ... \fIchanges_or_dsc_filename\fR ...
+\fBdscverify\fR [\fB\-\-keyring \fIkeyring\fR] ... \fIchanges_or_buildinfo_or_dsc_filename\fR ...
.SH DESCRIPTION
\fBdscverify\fR checks that the GPG signatures on the given
-\fI.changes\fR or \fI.dsc\fR files are good signatures made by keys in
+\fI.changes\fR, \fI.buildinfo\fP or \fI.dsc\fR files are good signatures
+made by keys in
the current Debian keyrings, found in the \fIdebian-keyring\fR
and \fIdebian-maintainers\fR
packages. (Additional keyrings can be specified using the
\fB--keyring\fR option any number of times.) It then checks that the
-other files listed in the \fI.changes\fR or \fI.dsc\fR files have the
+other files listed in the \fI.changes\fR, \fI.buildinfo\fP or \fI.dsc\fR
+files have the
correct sizes and checksums (MD5 plus SHA1 and SHA256 if the latter are
present). The exit status is 0 if there are no problems and non-zero
otherwise.
@@ -28,7 +30,8 @@ first option given on the command-line.
.TP
\fB\-\-nosigcheck\fR, \fB\-\-no\-sig\-check\fR, \fB-u\fR
Skip the signature verification step. That is, only verify the sizes and
-checksums of the files listed in the \fI.changes\fR or \fI.dsc\fR files.
+checksums of the files listed in the \fI.changes\fR, \fI.buildinfo\fP or
+\fI.dsc\fR files.
.TP
\fB\-\-verbose\fR
Do not suppress GPG output.
diff --git a/scripts/dscverify.pl b/scripts/dscverify.pl
index 97600856..8bc0857c 100755
--- a/scripts/dscverify.pl
+++ b/scripts/dscverify.pl
@@ -46,7 +46,7 @@ my $havegpg = first { !system('sh', '-c', "command -v $_ >/dev/null 2>&1") } qw
sub usage {
print <<"EOF";
-Usage: $progname [options] dsc-or-changes-file ...
+Usage: $progname [options] changes-or-buildinfo-dsc-file ...
Options: --help Display this message
--version Display version and copyright information
--keyring <keyring>
@@ -213,7 +213,7 @@ sub process_file {
}
}
- my @spec = map { split /\n/ } $out =~ /^Files:\s*\n((?:[ \t]+.*\n)+)/mgi;
+ my @spec = map { split /\n/ } $out =~ /^(?:Checksums-Md5|Files):\s*\n((?:[ \t]+.*\n)+)/mgi;
unless (@spec) {
xwarn "no file spec lines in $file\n";
return;
@@ -342,7 +342,7 @@ sub process_file {
close FILE;
- if ($filename =~ /\.dsc$/ && $verify_sigs) {
+ if ($filename =~ /\.(?:dsc|buildinfo)$/ && $verify_sigs) {
$sigcheck = check_signature $filename, @rings;
if ($sigcheck) {
xwarn "$filename failed signature check:\n$sigcheck";
@@ -358,7 +358,7 @@ sub process_file {
}
sub main {
- @ARGV or xdie "no .changes or .dsc files specified\n";
+ @ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n";
my @rings;
@@ -416,7 +416,7 @@ sub main {
'verbose' => \$verbose,
) or do { usage; exit 1 };
- @ARGV or xdie "no .changes or .dsc files specified\n";
+ @ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n";
@rings = get_rings @rings if $use_default_keyrings and $verify_sigs;
--
2.11.0
_______________________________________________
devscripts-devel mailing list
devscripts-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
