Your message dated Tue, 03 Oct 2017 13:25:00 +0000
with message-id <[email protected]>
and subject line Re: sbuild: please sign buildinfo files
has caused the Debian Bug report #862059,
regarding sbuild: please sign buildinfo files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862059: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862059
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sbuild
Version: 0.73.0-4
Tags: patch
User: [email protected]
Usertags: infrastructure
Hello,
dpkg-buildpackage typically generates a .changes and .buildinfo file,
and signs both (since at least dpkg 1.18.19).
But when using sbuild, dpkg-buildpackage inside of the build chroot does
not do the signing, but rather sbuild signs the .changes file afterward.
Please could that code be updated to also sign the .buildinfo (if one
was created).
I have not tested the attached patch (yet?) but it explains the issue at
least. Here is typical output where only the .changes file gets signed:
> ────────────────────────────────────────────────────────────────────────────────
> Finished at 20170314-2338
> Build needed 00:00:43, 5660k disc space
> Signature with key 'F2F4A5FC' requested:
> signfile /home/buildd/build/hello_2.10-1+b1_amd64.changes F2F4A5FC
>
> Successfully signed changes file
The relevance/importance of this is that official Debian package builds
produce .buildinfo files now, and dak archives them, but they are not
being signed yet.
Thanks!
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)
Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff --git a/lib/Sbuild/Build.pm b/lib/Sbuild/Build.pm
index 9a767a2..b196812 100644
--- a/lib/Sbuild/Build.pm
+++ b/lib/Sbuild/Build.pm
@@ -2668,6 +2668,21 @@ sub get_changes {
return $changes;
}
+sub get_buildinfo {
+ my $self=shift;
+ my $buildinfo;
+
+ if ($self->get_conf('BUILD_ARCH_ANY')) {
+ $buildinfo = $self->get('Package_SVersion') . '_' . $self->get('Host Arch') . '.buildinfo';
+ } elsif ($self->get_conf('BUILD_ARCH_ALL')) {
+ $buildinfo = $self->get('Package_SVersion') . "_all.buildinfo";
+ } elsif ($self->get_conf('BUILD_SOURCE')) {
+ $buildinfo = $self->get('Package_SVersion') . "_source.buildinfo";
+ }
+
+ return $buildinfo;
+}
+
sub check_space {
my $self = shift;
my @files = @_;
@@ -3169,6 +3184,7 @@ sub close_build_log {
my $key_id = $self->get_conf('KEY_ID');
my $build_dir = $self->get_conf('BUILD_DIR');
my $changes;
+ my $buildinfo;
$self->log(sprintf("Signature with key '%s' requested:\n", $key_id));
$changes = $self->get_changes();
if (!defined($changes)) {
@@ -3176,6 +3192,10 @@ sub close_build_log {
} else {
system('debsign', '--re-sign', "-k$key_id", '--', "$build_dir/$changes");
}
+ $buildinfo = $self->get_buildinfo();
+ if (defined($buildinfo) && stat($buildinfo)) {
+ system('debsign', '--re-sign', "-k$key_id", '--', "$build_dir/$buildinfo");
+ }
if ($self->get_conf('SOURCE_ONLY_CHANGES')) {
my $so_changes = $build_dir . '/' . $self->get('Package_SVersion') . "_source.changes";
if (-r $so_changes) {
--- End Message ---
--- Begin Message ---
Control: notfound -1 0.73.0-4
As far as I can tell, this is now being done by the buildds, e.g.:
https://buildd.debian.org/status/fetch.php?pkg=ocaml&arch=s390x&ver=4.05.0-9&stamp=1505496209&raw=0
[..]
Signature with key '602C42E7' requested:
signfile buildinfo /home/buildd/build/ocaml_4.05.0-9_s390x.buildinfo 602C42E7
fixup_changes buildinfo /home/buildd/build/ocaml_4.05.0-9_s390x.buildinfo
/home/buildd/build/ocaml_4.05.0-9_s390x.changes
signfile changes /home/buildd/build/ocaml_4.05.0-9_s390x.changes 602C42E7
Successfully signed buildinfo, changes files
Possibly all that was required, was to use a newer version of debsign from
devscripts that does this by default. So, closing this bug and marking as "not
a bug".
X
On Sun, 07 May 2017 23:20:14 +0100 Steven Chamberlain <[email protected]>
wrote:
> Package: sbuild
> Version: 0.73.0-4
> Tags: patch
> User: [email protected]
> Usertags: infrastructure
>
> Hello,
>
> dpkg-buildpackage typically generates a .changes and .buildinfo file,
> and signs both (since at least dpkg 1.18.19).
>
> But when using sbuild, dpkg-buildpackage inside of the build chroot does
> not do the signing, but rather sbuild signs the .changes file afterward.
>
> Please could that code be updated to also sign the .buildinfo (if one
> was created).
>
> I have not tested the attached patch (yet?) but it explains the issue at
> least. Here is typical output where only the .changes file gets signed:
>
> > ────────────────────────────────────────────────────────────────────────────────
> > Finished at 20170314-2338
> > Build needed 00:00:43, 5660k disc space
> > Signature with key 'F2F4A5FC' requested:
> > signfile /home/buildd/build/hello_2.10-1+b1_amd64.changes F2F4A5FC
> >
> > Successfully signed changes file
>
> The relevance/importance of this is that official Debian package builds
> produce .buildinfo files now, and dak archives them, but they are not
> being signed yet.
>
> Thanks!
>
> -- System Information:
> Debian Release: stretch/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: kfreebsd-amd64 (x86_64)
>
> Kernel: kFreeBSD 10.1-0-amd64
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
--- End Message ---
