Your message dated Thu, 02 Feb 2017 02:48:34 +0000
with message-id <[email protected]>
and subject line Bug#852801: fixed in devscripts 2.17.1
has caused the Debian Bug report #852801,
regarding devscripts: Please add support for signing/signed .buildinfo
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
852801: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852801
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: devscripts
Source-Version: 2.17.0
Severity: important
X-Debbugs-Cc: [email protected]
Hi!
The .buildinfo files were supposed to be signed, but dpkg-buildpackage
didn't do that until dpkg 1.18.19. Even then, when we sign sources and
those get referenced in the .buildinfo file, their checksums will not
match as they have been changed.
I've prepared a patch for dscverify to test the new dpkg, but debsign
is still pending. Patch attached, please review.
Thanks,
Guillem
From 1579878c73e248f89d5619d893dab450fc6344fb Mon Sep 17 00:00:00 2001
From: Guillem Jover <[email protected]>
Date: Fri, 27 Jan 2017 14:02:44 +0100
Subject: [PATCH] dscverify: Add support for .buildinfo files
Signed-off-by: Guillem Jover <[email protected]>
---
scripts/dscverify.1 | 11 +++++++----
scripts/dscverify.pl | 10 +++++-----
2 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/scripts/dscverify.1 b/scripts/dscverify.1
index 48b41a25..1082147a 100644
--- a/scripts/dscverify.1
+++ b/scripts/dscverify.1
@@ -2,15 +2,17 @@
.SH NAME
dscverify \- verify the validity of a Debian package
.SH SYNOPSIS
-\fBdscverify\fR [\fB\-\-keyring \fIkeyring\fR] ... \fIchanges_or_dsc_filename\fR ...
+\fBdscverify\fR [\fB\-\-keyring \fIkeyring\fR] ... \fIchanges_or_buildinfo_or_dsc_filename\fR ...
.SH DESCRIPTION
\fBdscverify\fR checks that the GPG signatures on the given
-\fI.changes\fR or \fI.dsc\fR files are good signatures made by keys in
+\fI.changes\fR, \fI.buildinfo\fP or \fI.dsc\fR files are good signatures
+made by keys in
the current Debian keyrings, found in the \fIdebian-keyring\fR
and \fIdebian-maintainers\fR
packages. (Additional keyrings can be specified using the
\fB--keyring\fR option any number of times.) It then checks that the
-other files listed in the \fI.changes\fR or \fI.dsc\fR files have the
+other files listed in the \fI.changes\fR, \fI.buildinfo\fP or \fI.dsc\fR
+files have the
correct sizes and checksums (MD5 plus SHA1 and SHA256 if the latter are
present). The exit status is 0 if there are no problems and non-zero
otherwise.
@@ -28,7 +30,8 @@ first option given on the command-line.
.TP
\fB\-\-nosigcheck\fR, \fB\-\-no\-sig\-check\fR, \fB-u\fR
Skip the signature verification step. That is, only verify the sizes and
-checksums of the files listed in the \fI.changes\fR or \fI.dsc\fR files.
+checksums of the files listed in the \fI.changes\fR, \fI.buildinfo\fP or
+\fI.dsc\fR files.
.TP
\fB\-\-verbose\fR
Do not suppress GPG output.
diff --git a/scripts/dscverify.pl b/scripts/dscverify.pl
index 97600856..8bc0857c 100755
--- a/scripts/dscverify.pl
+++ b/scripts/dscverify.pl
@@ -46,7 +46,7 @@ my $havegpg = first { !system('sh', '-c', "command -v $_ >/dev/null 2>&1") } qw
sub usage {
print <<"EOF";
-Usage: $progname [options] dsc-or-changes-file ...
+Usage: $progname [options] changes-or-buildinfo-dsc-file ...
Options: --help Display this message
--version Display version and copyright information
--keyring <keyring>
@@ -213,7 +213,7 @@ sub process_file {
}
}
- my @spec = map { split /\n/ } $out =~ /^Files:\s*\n((?:[ \t]+.*\n)+)/mgi;
+ my @spec = map { split /\n/ } $out =~ /^(?:Checksums-Md5|Files):\s*\n((?:[ \t]+.*\n)+)/mgi;
unless (@spec) {
xwarn "no file spec lines in $file\n";
return;
@@ -342,7 +342,7 @@ sub process_file {
close FILE;
- if ($filename =~ /\.dsc$/ && $verify_sigs) {
+ if ($filename =~ /\.(?:dsc|buildinfo)$/ && $verify_sigs) {
$sigcheck = check_signature $filename, @rings;
if ($sigcheck) {
xwarn "$filename failed signature check:\n$sigcheck";
@@ -358,7 +358,7 @@ sub process_file {
}
sub main {
- @ARGV or xdie "no .changes or .dsc files specified\n";
+ @ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n";
my @rings;
@@ -416,7 +416,7 @@ sub main {
'verbose' => \$verbose,
) or do { usage; exit 1 };
- @ARGV or xdie "no .changes or .dsc files specified\n";
+ @ARGV or xdie "no .changes, .buildinfo or .dsc files specified\n";
@rings = get_rings @rings if $use_default_keyrings and $verify_sigs;
--
2.11.0
--- End Message ---
--- Begin Message ---
Source: devscripts
Source-Version: 2.17.1
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 01 Feb 2017 21:25:00 -0500
Source: devscripts
Binary: devscripts
Architecture: source
Version: 2.17.1
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <[email protected]>
Changed-By: James McCoy <[email protected]>
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 851590 852801 852918
Changes:
devscripts (2.17.1) unstable; urgency=medium
.
[ Osamu Aoki ]
* uscan:
+ PyPI packages location change. (Closes: #851590)
.
[ Guillem Jover ]
* dscverify:
+ Add support for .buildinfo files. (Closes: #852801)
.
[ Mattia Rizzolo ]
* dscverify:
+ Remove reference to the long gone debian-maintainers package.
* test_package_lifecycle:
+ Import patch from Ubuntu to have the test pass on their builders too:
filter out output from pkg-create-dbgsym's dh_gencontrol wrapper, pass
--set-envvar=NO_PKG_MANGLE=1 to debuild, and pass -U to debchange.
* debian/tests/control:
+ Depend on build-essential.
.
[ James McCoy ]
* test_package_lifecycle:
+ Ignore debhelper's new "create-stamp" output to fix the test failure.
(Closes: #852918)
Checksums-Sha1:
ff99514e9af5ecb0d31b57e81563bca6ff646b5a 2462 devscripts_2.17.1.dsc
3b8e882bc302ded2ef9ef8c85e7932d0b18679cd 678624 devscripts_2.17.1.tar.xz
d0cf77de90353e3d17fed0f7e8f55c42f614d35f 8353 devscripts_2.17.1_amd64.buildinfo
Checksums-Sha256:
8a4d5b803ffbcafc568da5ed3aae3b314b90a5acb484c7edaf5085379068427c 2462
devscripts_2.17.1.dsc
da1bbfaa88cc856bcd60993d96139b6af3301dd974c2d24c9cde4875fb991b93 678624
devscripts_2.17.1.tar.xz
e7e924c993c237a13ac0b84777d73fb1a62b4342e144790549a0bf1eee8cce4a 8353
devscripts_2.17.1_amd64.buildinfo
Files:
58bc8646545db4ed351770d714d1ea09 2462 devel optional devscripts_2.17.1.dsc
2389705d5fd3e5eb8d5208df476434bd 678624 devel optional devscripts_2.17.1.tar.xz
0a45518e9c1d66382d4958d62c64a059 8353 devel optional
devscripts_2.17.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAliSmwVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx
QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb
o9vY0Q/+LkWvW6vXmKcmUREY/YCzYdvoeCDCXDqGtQPCPMf8RRtEYUwtzO0cjYvE
mISnbqzRJWpbQ+PEQnmQoTHPJeHcwdVKczA3Pipt9kIJMjLYtE7aVtdwMcwrspu7
SOpaq+LUbNxqJPbvV+0e8vtSnu0zijo1PnXWXsWWPnG5vvNG0UdsWwQy9GXjOcv7
N5RWwQWsz/sY0OT/Hy/8odILJNgc6H8ht8WxDNpI3eO6mgJiRoZcFiSSnLaA4LRA
r6IZL4Pc8iBXp23sUCKg1QyJQgvMPd/IpcqJh1neR23Npz22D0tMOoUNEe7u0T9p
/kvBceTMTjeXdJc/KqGKC9+uKeP3UhmimfojLyN710FR8kTLKoM+xFDqjH8uEkkj
jTh3d355V13vR8b5LEJMBi0thdZF4G62yfNyNS8UkjADKOrVyjNp2jOrPNUQytZi
qgaPnMtyk48sKtUJnLbrzx2kIWeulbCHY0q3n3CVVHJuB3MBZFMHnwmR2/I3KhLm
E60/C79o1cgG6AHACeMEfmauJaaov7WlA7gQSTR5WEA3lSmwCoUQt1Al01g7zuOX
hNPmfzP1Xh0jDypSIziD9TMfDaPb8Ot6Ks22H7fVtoYs0uVhfQ2LdVfHVxBd5Wmg
bZjhOxMGLlVWakKWXMV9TlQ9pmda7+js6bFpStpJcUkt2hgskpQ=
=JwiA
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
devscripts-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
