Package: devscripts Version: 2.16.8 Severity: normal File: /usr/bin/uscan Hi,
Asterisk upstream sources are signed by several keys, see for example http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz.asc The set of keys can differ between released. When there is one signature of a key not listed in debian/upstream/signing-key.asc a validation warning is thrown. asterisk$ uscan uscan: Newest version of asterisk on remote site is 13.11.2, local version is 13.10.0~dfsg (mangled local version is 13.10.0) uscan: => Newer package available from http://downloads.asterisk.org/pub/telephony/asterisk/releases/asterisk-13.11.2.tar.gz gpgv: Signature made Fri 09 Sep 2016 06:18:48 PM CEST gpgv: using RSA key 368AB332B59975F3 gpgv: Good signature from "George Joseph <[email protected]>" gpgv: Signature made Fri 09 Sep 2016 06:26:07 PM CEST gpgv: using DSA key 9C59F000777DCC45 gpgv: Good signature from "Kevin Harwell <[email protected]>" gpgv: Signature made Fri 09 Sep 2016 07:22:47 PM CEST gpgv: using DSA key 6CB44E557BD982D8 gpgv: Good signature from "Richard Mudgett <[email protected]>" gpgv: Signature made Fri 09 Sep 2016 07:41:46 PM CEST gpgv: using DSA key 8438CBA18D0CAA72 gpgv: Can't check signature: No public key uscan warn: OpenPGP signature did not verify. In this case d/u/signing-key.asc contains asterisk$ gpg --import < debian/upstream/signing-key.asc gpg: key DAB29B236B940F89: public key "Joshua Colp <[email protected]>" imported gpg: key 9C59F000777DCC45: public key "Kevin Harwell <[email protected]>" imported gpg: key 6CB44E557BD982D8: public key "Richard Mudgett <[email protected]>" imported gpg: key 368AB332B59975F3: public key "George Joseph <[email protected]>" imported gpg: Total number processed: 4 gpg: imported: 4 DAB29B236B940F89 is in signing-key.asc but there is no signature, and there is an additional signature from 8438CBA18D0CAA72 When this happens uscan exits with rc=0, but does not process the file further without any meaningful error message. I.e. the DFSG repack specified in debian/watch is not executed at all. Exiting rc=0 even tricks "gbp import-orig --uscan" into importing the non-dfsg upstream tarball into the repo. I did not find any documentation on how uscan deals with multiple signatures and/or multiple keys, but so far it looks like all signatures have to be made by keys provided in d/u/signing-key.asc. Additional keys in d/u/signing-key.asc are not enforced. IMHO this behaviour does not make any sense. You need to check the authenticity of any additional key upstream might use before adding it to the repo, you cannot just use one known-good key and ignore the rest. This even makes an attack a bit more likely, since control over just one key in the set is enough to build and sign an accepted tarball. Best Regards, Bernhard -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- Not present -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages devscripts depends on: ii dpkg-dev 1.18.10 ii libc6 2.24-5 ii perl 5.24.1~rc3-3 pn python3:any <none> Versions of packages devscripts recommends: ii apt 1.3.1 ii at 3.1.20-1 ii curl 7.50.1-1 ii dctrl-tools 2.24-2 ii debian-keyring 2016.09.04 ii dput-ng [dput] 1.10 ii equivs 2.0.9+nmu1 ii fakeroot 1.21-2 ii file 1:5.28-4 ii gnupg 2.1.15-4 ii gnupg2 2.1.15-4 ii libdistro-info-perl 0.14 ii libencode-locale-perl 1.05-1 ii liblwp-protocol-https-perl 6.06-2 ii libsoap-lite-perl 1.20-1 ii liburi-perl 1.71-1 ii libwww-perl 6.15-1 ii licensecheck 3.0.24-1 ii lintian 2.5.48 ii man-db 2.7.5-1 ii patch 2.7.5-1 ii patchutils 0.3.4-1 ii python3-debian 0.1.29 ii python3-magic 1:5.28-4 ii sensible-utils 0.0.9 ii strace 4.13-0.1 ii unzip 6.0-20 ii wdiff 1.2.2-1+b1 ii wget 1.18-4 ii xz-utils 5.2.2-1.2 Versions of packages devscripts suggests: pn adequate <none> pn autopkgtest <none> pn bls-standalone <none> ii build-essential 12.2 pn check-all-the-things <none> pn cvs-buildpackage <none> pn devscripts-el <none> ii diffoscope 61 pn disorderfs <none> pn dose-extra <none> pn duck <none> pn faketime <none> pn gnuplot <none> ii gpgv 2.1.15-4 pn how-can-i-help <none> ii libauthen-sasl-perl 2.1600-1 pn libfile-desktopentry-perl <none> ii libnet-smtp-ssl-perl 1.03-1 pn libterm-size-perl <none> ii libtimedate-perl 2.3000-2 pn libyaml-syck-perl <none> pn mozilla-devscripts <none> pn mutt <none> ii openssh-client [ssh-client] 1:7.3p1-1 pn piuparts <none> pn ratt <none> pn reprotest <none> ii s-nail [mailx] 14.8.12-1 pn svn-buildpackage <none> pn w3m <none> -- no debconf information _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
