This is an automated email from the git hooks/post-receive script. jamessan pushed a commit to branch master in repository devscripts.
commit 3f3efc9e5bc7b0d0fab70f523ecd26ae6b94d103 Author: James McCoy <[email protected]> Date: Fri Jul 7 00:23:50 2017 -0400 uscan: Inability to verify GPG signature is a fatal error If uscan successfully downloads an archive and is configured to verify the GPG signature, then any failure to do so will cause uscan to exit with an error. This includes not having the keyring, inability to download the detached signature, and the actual gpg(v) verification failing. Signed-off-by: James McCoy <[email protected]> --- debian/changelog | 3 +++ scripts/uscan.pl | 16 ++++++---------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/debian/changelog b/debian/changelog index 92081fe..55c03bd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -36,6 +36,9 @@ devscripts (2.17.7) UNRELEASED; urgency=medium + Use Dpkg::Version instead of shelling out to dpkg to compare upstream & mangled versions. This improves the performance slightly and also avoids dpkg's errors about malformed versions. (Closes: #866998) + + When GPG verification is configured but the verification fails (either + during actual verification or because of missing keyring/signature), + exit uscan with an error. (Closes: #841910) * grep-excuses: + Use YAML::Syck to parse excuses.yaml instead of using regex to pick apart update_excuses.html. diff --git a/scripts/uscan.pl b/scripts/uscan.pl index b5c93b9..ceeee71 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -3596,7 +3596,7 @@ EOF uscan_verbose "Downloading OpenPGP signature from\n $pgpsig_url (pgpsigurlmangled)\n as $sigfile\n"; $signature_available = $downloader->($pgpsig_url, "$destdir/$sigfile", $options{'mode'}); } else { # -1, 0 - uscan_verbose "Don\'t downloading OpenPGP signature from\n $pgpsig_url (pgpsigurlmangled)\n as $sigfile\n"; + uscan_verbose "Not downloading OpenPGP signature from\n $pgpsig_url (pgpsigurlmangled)\n as $sigfile\n"; $signature_available = (-e "$destdir/$sigfile") ? 1 : 0; } } elsif ($options{'pgpmode'} eq 'previous') { @@ -3606,7 +3606,7 @@ EOF uscan_verbose "Downloading OpenPGP signature from\n $pgpsig_url (pgpmode=previous)\n as $sigfile\n"; $signature_available = $downloader->($pgpsig_url, "$destdir/$sigfile", $options{'mode'}); } else { # -1, 0 - uscan_verbose "Don\'t downloading OpenPGP signature from\n $pgpsig_url (pgpmode=previous)\n as $sigfile\n"; + uscan_verbose "Not downloading OpenPGP signature from\n $pgpsig_url (pgpmode=previous)\n as $sigfile\n"; $signature_available = (-e "$destdir/$sigfile") ? 1 : 0; } $download_available = $previous_download_available; @@ -3620,14 +3620,12 @@ EOF if ($signature == -1) { uscan_verbose("SKIP Checking OpenPGP signature (by request).\n"); } elsif (! defined $keyring) { - uscan_warn("FAIL Checking OpenPGP signature (no keyring).\n"); - return 1; + uscan_die("FAIL Checking OpenPGP signature (no keyring).\n"); } elsif ($download_available == 0) { uscan_warn "FAIL Checking OpenPGP signature (no upstream tarball downloaded).\n"; return 1; } elsif ($signature_available == 0) { - uscan_warn("FAIL Checking OpenPGP signature (no signature file downloaded).\n"); - return 1; + uscan_die("FAIL Checking OpenPGP signature (no signature file downloaded).\n"); } else { if ($signature ==0) { uscan_verbose "Use the existing file: $sigfile\n"; @@ -3662,8 +3660,7 @@ EOF if ($signature == -1) { uscan_warn("SKIP Checking OpenPGP signature (by request).\n"); } elsif (! defined $keyring) { - uscan_warn("FAIL Checking OpenPGP signature (no keyring).\n"); - return 1; + uscan_die("FAIL Checking OpenPGP signature (no keyring).\n"); } elsif ($download_available == 0) { uscan_warn "FAIL Checking OpenPGP signature (no signed upstream tarball downloaded).\n"; return 1; @@ -3673,8 +3670,7 @@ EOF '--no-options', '-q', '--batch', '--no-default-keyring', '--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o', "$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0) { - uscan_warn("OpenPGP signature did not verify.\n"); - return 1; + uscan_die("OpenPGP signature did not verify.\n"); } } $previous_newfile_base = undef; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
