Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key
Hello,
On Tue 11 Jul 2023 at 01:37pm +01, Ian Jackson wrote:
> Boyuan Yang writes ("Re: Bug#1040816: dgit: gpg signing fail when comment
> section exist in gpg key"):
>> Please check the "DEBSIGN_KEYID" environment variable as described in
>> debsign(1).
>> Currently I have it set up in my bashrc. When I was using the plain
>> gbp-buildpackage
>> workflow, I also used the -k option whenever possible.
>
> Thanks.
>
> I looked at the code, and I'm not DEBSIGN_KEYID is quite right because
> it would override the whole keyid. dgit tries to find the using the
> changelog maintainer. Sean, what do you think? (It would be a change
> to behaviour for existing users who have set DEBSIGN_KEYID.)
Seems like this could be annoying for someone relying on the current
behaviour to use more than one key to upload to more than one archive?
That does seem like a useful feature.
--
Sean Whitton
Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key
Hi,
On Tue, 11 Jul 2023 13:37:25 +0100 Ian Jackson
wrote:
> Boyuan Yang writes ("Re: Bug#1040816: dgit: gpg signing fail when comment
> section exist in gpg key"):
> > Please check the "DEBSIGN_KEYID" environment variable as described in
> > debsign(1).
> > Currently I have it set up in my bashrc. When I was using the plain
> > gbp-buildpackage
> > workflow, I also used the -k option whenever possible.
>
> Thanks.
>
> I looked at the code, and I'm not DEBSIGN_KEYID is quite right because
> it would override the whole keyid. dgit tries to find the using the
> changelog maintainer. Sean, what do you think? (It would be a change
> to behaviour for existing users who have set DEBSIGN_KEYID.)
>
> There is an alternative approach: dgit honours various command line
> and config settings for this. There's a `-k` option, but I guess
> that's not convenient for routine use.
>
> But there's also the git config options
>
> dgit.default.keyid
> dgit-distro.DISTRO.keyid
>
> So I think you could say
>
> git config --global dgit-distro.debian.keyid
>
> Did you see those in the manual ?
I did not see them, and setting keyid via git config solves my problem, thanks.
That being said, I am not sure whether the reported bug should be further
handled. Please feel free to make changes to dgit src/documentation if you find
necessary.
Thanks,
Boyuan Yang
signature.asc
Description: This is a digitally signed message part
Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key
Boyuan Yang writes ("Re: Bug#1040816: dgit: gpg signing fail when comment
section exist in gpg key"):
> Please check the "DEBSIGN_KEYID" environment variable as described in
> debsign(1).
> Currently I have it set up in my bashrc. When I was using the plain
> gbp-buildpackage
> workflow, I also used the -k option whenever possible.
Thanks.
I looked at the code, and I'm not DEBSIGN_KEYID is quite right because
it would override the whole keyid. dgit tries to find the using the
changelog maintainer. Sean, what do you think? (It would be a change
to behaviour for existing users who have set DEBSIGN_KEYID.)
There is an alternative approach: dgit honours various command line
and config settings for this. There's a `-k` option, but I guess
that's not convenient for routine use.
But there's also the git config options
dgit.default.keyid
dgit-distro.DISTRO.keyid
So I think you could say
git config --global dgit-distro.debian.keyid
Did you see those in the manual ?
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key
Hi,
在 2023-07-11星期二的 09:58 +0100,Ian Jackson写道:
> Boyuan Yang writes ("Bug#1040816: dgit: gpg signing fail when comment section
> exist in gpg key"):
> > This looks like a rare corner case, but currently when executing
> > "dgit push-source --overwrite" in my dgit-enabled repo, the gpg
> > signing will fail. Example:
>
> Oh dear.
>
> > Can we make the invocation to gpg more robust? Or, can we allow using
> > some environment variable to provide the gpg key fingerprint used for
> > signature? If there is indeed such config option somewhere, please let me
> > know. Thanks!
>
> I think we should do something about this, yes.
>
> Do you know if your situation works with debsign ? What configuration
> does debsign accept ? I think dgit probably ought to honour the same
> configuration tfor the same thing.
Please check the "DEBSIGN_KEYID" environment variable as described in
debsign(1).
Currently I have it set up in my bashrc. When I was using the plain
gbp-buildpackage
workflow, I also used the -k option whenever possible.
Thanks,
Boyuan yang
signature.asc
Description: This is a digitally signed message part
Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key
Boyuan Yang writes ("Bug#1040816: dgit: gpg signing fail when comment section
exist in gpg key"):
> This looks like a rare corner case, but currently when executing
> "dgit push-source --overwrite" in my dgit-enabled repo, the gpg
> signing will fail. Example:
Oh dear.
> Can we make the invocation to gpg more robust? Or, can we allow using
> some environment variable to provide the gpg key fingerprint used for
> signature? If there is indeed such config option somewhere, please let me
> know. Thanks!
I think we should do something about this, yes.
Do you know if your situation works with debsign ? What configuration
does debsign accept ? I think dgit probably ought to honour the same
configuration tfor the same thing.
Thanks,
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key
Package: dgit Version: 10.7 Severity: normal This looks like a rare corner case, but currently when executing "dgit push-source --overwrite" in my dgit-enabled repo, the gpg signing will fail. Example: [~/src/debian/debian/a2ps] [dgit/sid] -> % LC_ALL=C dgit push-source --overwrite Format `3.0 (quilt)', need to check/update patch stack canonical suite name for unstable is sid examining quilt state (multiple patches, linear mode) dgit: base trees orig=4a009d596d191de47129 o+d/p=f1fc1e16b704bfe79d25 dgit: quilt differences: src: ## orig ## gitignores: == orig == dgit: quilt differences: HEAD == o+d/p HEAD == o+d/p starting quiltify (multiple patches, linear mode) quiltify linearisation planning successful, executing... nothing quilty to commit, ok. dpkg-source: info: using options from work/debian/source/options: --extend- diff-ignore=^(FAQ|doc/(a2ps.info|stamp- vti|version.texi)|man/(a2ps.1|card.1|fixps.1|pdiff.1|psmandup.1|psset.1))$ dpkg-source: info: using source format '3.0 (quilt)' dpkg-source: info: verifying ./a2ps_4.15.5.orig.tar.gz.asc dpkg-source: info: building a2ps using existing ./a2ps_4.15.5.orig.tar.gz dpkg-source: info: building a2ps using existing ./a2ps_4.15.5.orig.tar.gz.asc dpkg-source: info: using patch list from debian/patches/series dpkg-source: info: building a2ps in a2ps_4.15.5-1.debian.tar.xz dpkg-source: info: building a2ps in a2ps_4.15.5-1.dsc changelog will contain changes since 1:4.15.5-1 dpkg-genchanges: warning: 'since' option specifies most recent version '1:4.15.5-1', ignoring dpkg-genchanges: info: including full source code in upload last upload to archive: NO git hash using existing a2ps_4.15.5.orig.tar.gz using existing a2ps_4.15.5.orig.tar.gz.asc using existing a2ps_4.15.5-1.debian.tar.xz dpkg-source: info: extracting a2ps in a2ps-4.15.5 dpkg-source: info: unpacking a2ps_4.15.5.orig.tar.gz dpkg-source: info: unpacking a2ps_4.15.5-1.debian.tar.xz synthesised git commit from .dsc 1:4.15.5-1 nothing quilty to commit, ok. Checking package changelog for archive version 1:4.15.5-1 ... checking that a2ps_4.15.5-1.dsc corresponds to HEAD dpkg-source: warning: extracting unsigned source package (/home/hosiet/src/debian/debian/a2ps/../a2ps_4.15.5-1.dsc) dpkg-source: info: extracting a2ps in a2ps-4.15.5 dpkg-source: info: unpacking a2ps_4.15.5.orig.tar.gz dpkg-source: info: unpacking a2ps_4.15.5-1.debian.tar.xz dpkg-source: info: using patch list from debian/patches/series dpkg-source: info: applying 06-encoding.diff dpkg-source: info: applying etcmakefile.-pass-arguments-to-date-to-s.patch dpkg-source: info: applying doca2ps.texi-remove-dates-from-generated.patch edited .changes for archive .orig contents: removed a2ps_4.15.5.orig.tar.gz edited .changes for archive .orig contents: removed a2ps_4.15.5.orig.tar.gz.asc gpg: skipped "Boyuan Yang ": No secret key gpg: signing failed: No secret key dgit: failed command: gpg --detach-sign --armor -u 'Boyuan Yang ' /home/hosiet/src/debian/debian/a2ps/.git/dgit/tag.tmp dgit: error: subprocess failed with error exit status 2 ! Push failed, while signing the tag. ! You can retry the push, after fixing the problem, if you like. === Obviously dgit is trying to invoke gpg using the following argument: gpg --detach-sign -u '$DEBFULLNAME <$DEBEMAIL>' /path/to/file However, my gpg key has a comment section: -> % LC_ALL=C gpg --list-secret-keys /home/hosiet/.gnupg/pubring.kbx --- sec rsa4096 2016-11-10 [SC] [expires: 2034-03-14] 7E7729476D87D6F11D91ACCBC293E7B461825ACE uid [ultimate] Boyuan Yang (Debian Project) uid [ultimate] Boyuan Yang <073p...@gmail.com> uid [ultimate] Yang, Boyuan (University of Pittsburgh) ssb rsa4096 2016-11-10 [E] [expires: 2034-03-13] Which means that -u '$DEBFULLNAME <$DEBEMAIL>' will fail, and only invoking -u '$DEBFULLNAME ($GPG_COMMENT) <$DEBMEAIL>' will success: == -> % LC_ALL=C gpg --sign -u 'Boyuan Yang ' ChangeLog ; echo $? gpg: skipped "Boyuan Yang ": No secret key gpg: signing failed: No secret key 2 -> % LC_ALL=C gpg --sign -u 'Boyuan Yang (Debian Project) ' ChangeLog ; echo $? 0 = Can we make the invocation to gpg more robust? Or, can we allow using some environment variable to provide the gpg key fingerprint used for signature? If there is indeed such config option somewhere, please let me know. Thanks! Best, Boyuan Yang signature.asc Description: This is a digitally signed message part
