Package: devscripts Version: 2.23.7 Tags: patch (this is also https://salsa.debian.org/debian/devscripts/-/merge_requests/394)
debsign currently tries to determine the version of gpg by parsing the
human-readable output of `gpg --version`.
For use in scripts and other code, the GnuPG project prefers the use
of machine-readable output, and has offered `--with-colons
--list-config` for many versions (back at least to 1.3.5 according to
/usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a
lot of detail, including the actual version number:
cfg:version:2.2.40
This mode of output is what is used by libgpgme to determine the
version of gpg, so it is likely to remain stable and parseable.
The attached patch converts debsign to use the machine-parseable format,
rather than the human-readable format.
This issue came up when experimenting with sequoia-chameleon-gnupg,
which produces a human-readable string that doesn't match what debsign
was checking for.
(https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/61).
they're fixing that now in the chameleon upstream, but it seems like
debsign should be using the more robust approach anyway.
Thanks for maintaining devscripts!
--dkg
From 6bed35a535962534883a5aa233cbbcbfc7b15624 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Thu, 14 Mar 2024 14:10:59 -0400
Subject: [PATCH] debsign: check gpg version with machine-parseable format
debsign currently tries to determine the version of gpg by parsin the
human-readable output of `gpg --version`.
For use in scripts and other code, the GnuPG project prefers the use
of machine-readable output, and has offered `--with-colons
--list-config` for many versions (back at least to 1.3.5 according to
/usr/share/doc/gnupg/DETAILS.gz). That form of invocation produces a
lot of detail, including the actual version number:
cfg:version:2.2.40
This mode of output is what is used by libgpgme to determine the
version of gpg, so it is likely to remain stable and parseable.
This change converts debsign to use the machine-parseable format,
rather than the human-readable format.
---
scripts/debsign.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 15b0dfc2..cc4d31ab 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -170,7 +170,7 @@ signfile() {
ASCII_SIGNED_FILE="${UNSIGNED_FILE}.asc"
(cat "$file" ; echo "") > "$UNSIGNED_FILE"
- gpgversion=$($signcommand --version | head -n 1 | cut -d' ' -f3)
+ gpgversion=$($signcommand --with-colons --list-config | awk -F: '/^cfg:version:/ { print $3; exit }')
gpgmajorversion=$(echo $gpgversion | cut -d. -f1)
gpgminorversion=$(echo $gpgversion | cut -d. -f2)
--
2.43.0
signature.asc
Description: PGP signature
