Hi! On Fri, 2012-12-14 at 11:16:19 +0000, Ansgar Burchardt wrote: > Package: dpkg-dev > Version: 1.16.9 > Severity: important > File: /usr/bin/dpkg-source > > dpkg-source --require-valid-signature -x gnupg_1.4.12-6.dsc with the attached > dsc file will process the gnupg part of the dsc. This is however not covered > by > the signature. > > This happens as Dpkg::Control::Hash skips until an empty line: > > 145 } elsif (m/^-----BEGIN PGP SIGNED MESSAGE/) { > 146 $expect_pgp_sig = 1; > 147 if ($$self->{'allow_pgp'}) { > 148 # Skip PGP headers > 149 while (<$fh>) { > 150 last if m/^$/; > 151 } > > However one can add trailing whitespace without breaking the signature causing > the code to skip until the second section.
Nice catch! I'm preparing a tiny fix, and I'm going over RFC4880 to see if there's any other issues to take care of. Will most probably ask the RT if they'd be fine including such fix for wheezy. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org