On 2018-01-23, Osamu Aoki wrote: > I am in a good mood to do my user support duty :-) So let me show.
Thanks! > On Mon, Jan 22, 2018 at 01:24:20PM -0800, Vagrant Cascadian wrote: >> There are a number of projects hosted at kernel.org that use the >> kup-client utility to handle uploads. While it may upload a signature to >> verify the uploaded tarballs, those signatures are against the >> uncompressed tarball, rather than the compressed tarballs. >> >> For example, for dtc version 1.4.6, there is: >> >> https://www.kernel.org/pub/software/utils/dtc/ >> >> dtc-1.4.6.tar.gz >> dtc-1.4.6.tar.sign >> dtc-1.4.6.tar.xz >> >> I can download either .tar.gz or .tar.xz, decompress them, and then use >> the .tar.sign to verify it, but I don't see any obvious way to do this >> From debian/watch. > The obvious way is to read the manpage of uscan. ... many ways but > something along I've read the uscan manpage quite a number of times, but even after using uscan for well over a decade and reading the manpage many times over the years, nothing really comes across as obvious. So there's a difference between reading the fine manual and comprehending it. Fortunately, It's one of those things I get working once for a package and infrequently need to update it, so that's good. And yet... > version=4 > opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \ > https://www.kernel.org/pub/software/utils/dtc/ \ > @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \ > debian uupdate Thanks for the suggestion... with debian/watch: version=4 opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \ https://www.kernel.org/pub/software/utils/dtc/ \ dtc-@ANY_VERSION@@ARCHIVE_EXT@ \ debian uupdate Using @PACKAGE@ didn't work because of upstream is named differently (device-tree-compiler vs. dtc). But even with that fixed/worked around: uscan: Newest version of device-tree-compiler on remote site is 1.4.6, local version is 1.4.5 uscan: => Newer package available from https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz gpgv: Signature made Tue Jan 2 22:12:20 2018 PST gpgv: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 gpgv: BAD signature from "David Gibson <[email protected]>" uscan die: OpenPGP signature did not verify. If I manually take the files that uscan downloaded and verify them like so: $ xz -d dtc-1.4.6.tar.xz $ gpg --verify $ gpg --verify dtc-1.4.6.tar.xz.n dtc-1.4.6.tar gpg: Signature made Tue Jan 2 22:12:20 2018 PST gpg: using RSA key 75F46586AE61A66CC44E87DC6C38CACA20D9B392 gpg: Good signature from "David Gibson <[email protected]>" [unknown] gpg: aka "David Gibson (kernel.org) <[email protected]>" [unknown] gpg: aka "David Gibson (Red Hat) <[email protected]>" [unknown] gpg: aka "David Gibson (ozlabs.org) <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 75F4 6586 AE61 A66C C44E 87DC 6C38 CACA 20D9 B392 I am fairly certain this is because the signature is not against the .tar.xz, but against the uncompressed tarball. Does uscan (attempt to) decompress the tarball before verifying the signature? If not, I don't see how this could possibly work; in fact, if it did, it would be a serious security bug, as the signature is against the uncompressed tarball. >> I'm also not sure the Debian archive supports uploading a signature file >> against a file that isn't included in the distribution, so maybe this >> isn't really an issue worth handling in uscan... > > That is not a uscan bug. I as the primary uscan committer want to hear > your experience. Did you try? If you find out the answer, please let > me know what shall be done. I haven't tried because I haven't yet figured out a way to automate the verification of the signature (short of writing something entirely outside of uscan). live well, vagrant
signature.asc
Description: PGP signature
_______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
