On Mon, 25 Jan 2021 17:45:29 +0100 Johannes Schauer Marin Rodrigues <jo...@debian.org> wrote:
> The problem is, that when you combine --source-only-changes with --keyid, then > debsign will be run twice (once for the normal changes file and once for the > source-only changes file) and both times with --re-sign. This means, that the > second invocation will possibly also change the signature of files that were > already processed by the first invocation and this means that the checksum of > the first changes file doesn't match anymore. > > To fix the problem, one might suggest to just run the second invocation of > debsign with --no-re-sign so that everything that is already signed does not > get changed and only those things that don't have a signature get signed. > > But this triggers a bug in debsign where the dsc will not even be considered > for signing if the buildinfo was already signed. Since the buildinfo file of an upload contains the checksums of the dsc, this behaviour makes sense, as signing the dsc would break the buildinfo. On the other hand for the same reason, if the buildinfo is signed the dsc should already be signed as well. In the sbuild --source --source-only-changes case it most certainly will be, because the first debsign invocation signed it. What use case would using --no-re-sign for the second call break? -- Regards, Feri.
