Bug#1012524: libass: PGP signature

[Oneric]

Control: severity -1 important

With the new upstream release, adding the additional keys
is now required for uscan to accept the signature.


signature.asc
Description: PGP signature

Bug#1012524: libass: PGP signature and i386 assembly

[Oneric]

Control: tag 1012524 + patch - pending

A patch to match against any authorsied keys is attached.
Without this change uscan will error out when encoutering
future releases not signed with the current key — even if
the key used is authorised for release signatures.

The contents of signing-key.asc can be inspected
and verified with `gpg --list-packets`. Note that
not for all keys, signing and primary key are identical.
MAINTAINERS lists and the output of verification commands
typically shows the former, but both appear in gpg -k
and gpg --list-packets.

Alternatively, the new content can be reproduced by following these steps
(assuming gpg does not fetch additional signatures for the imported 
keys from its default keyring or so. If unsure, temporarily rename ~/.gnupg):

  alias gpg_t='command gpg --no-default-keyring --keyring /tmp/tmp.keys'
  curl https://github.com/astiob.gpg | gpg_t --import -
  curl https://github.com/TheOneric.gpg | gpg_t --import -
  curl https://github.com/rcombs.gpg | gpg_t --import -
  gpg_t --export --export-options export-minimal --armor > 
debian/upstream/signing-key.asc
  # To verify which keys are included
  gpg --list-packets debian/upstream/signing-key.asc

The export options are copied from uscan’s man page.


Cheers

Oneric
From ee09c54c1728e1757608b5160edf66b9a2109245 Mon Sep 17 00:00:00 2001
From: Oneric 
Date: Wed, 29 Jun 2022 17:05:40 +0200
Subject: [PATCH] Add alternate signing keys

Upstream's release note for 0.16.0 announced that the release may
be signed with other keys in the future. A list of authorised keys was
included in the MAINTAINERS file of (signed) tarball.
Additionally, the git commit adding this file is also signed by the
same key as the release tarball and future changes are promised to be
signed with an pre-existing key.
Without adding the additional authorised keys, uscan will error out
when encoutering future releases not signed with the current key.

To verify which keys are in signing-key.asc, `gpg --list-packets` can
be used and the output checked against the IDs listed in MAINTAINERS.
---
 debian/upstream/signing-key.asc | 137 +++-
 1 file changed, 133 insertions(+), 4 deletions(-)

diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
index 77c8d9f..c611b07 100644
--- a/debian/upstream/signing-key.asc
+++ b/debian/upstream/signing-key.asc
@@ -45,8 +45,137 @@ OtUMRG8I/EfGyhYH+PN2cHa9VGIss//OJWTpCfnAyD3g4qVRcYAnbtK2jVVe9wJS
 6zDhMMUJ9QHjMLRFi06f/MHxuES34UhFTmRx1oWv+OUlYCBFWTblI8OXSbgTjsJy
 i1zbNywyGrGjUVv0GrrWq7L0b/bukqBObhyeWpl2kED2+/llZb4rn93GB4VSqvkr
 jkGWoF8NU7ZhwpVEB3M0j3Z8GsctvQ6NIpFqGf3uNQsk1qngUnMqNZE3zHCnt8Do
-dUi2f9uJDlzXNQ5LAgj2pVnqreUwqIh4BBgRCAAJBQJNlOPMAhsMACEJEIB50Ywh
-qqr/FiEEVFjDEAZx8lKw9MdwgHnRjCGqqv+9QgEAoTdOzovu5crCzIbwpBw62IkC
-oe9yiIkrDfNxun95uWwA/jP6yvA884C98+/WFIl4JPtxpljOYlbtyab0zKhhaZwf
-=EtRt
+dUi2f9uJDlzXNQ5LAgj2pVnqreUwqIhhBBgRCAAJBQJNlOPMAhsMAAoJEIB50Ywh
+qqr/vUIBAKE3Ts6L7uXKwsyG8KQcOtiJAqHvcoiJKw3zcbp/eblsAP4z+srwPPOA
+vfPv1hSJeCT7caZYzmJW7cmm9MyoYWmcH5kCDQRhNOowARAA3MqpsowLf42S6qXe
+h1xrUHNTRMb1v3nEP29uGWx9SjJBB2TKw0U7+nTSQwInU0zHTaiAmbgG3v2sG6sw
+bI28iBPkb9hpF13zsFzlrb8ZSrqKRGyQ3J/O5w8/kcIn+OYeQCE8Up5nwkwWYnl0
+iyEJuoTZyKshm0HaDazxuGvlisQa8FXnT9V/6D99HJQEzVvC5Sghvh8iROW3+J3s
+geCVjGsFYtoM/xKneKUV9g6MD1tELlWTjPayzmbbzQzKGXk27hN1u88I2lY23ohQ
+6V1+jy5jZoJfyQnUFqIx/hGPuHg+frdhYFqD7IVmAaGFRuKJyqG3Re1UYTvTLSle
+kJXuLlfbeE3hTqec3/KLC1EaB5hB/rnGCGVP3muY/nJu3oF+hLheN6OEBH5WY7P0
+TKGINEGSOEJkW/mvsVnPJOCMzkDWvGpkLtmVZqjoa3jaVoQ17JCMAhKQlp038wC4
+/phEDte407EMD+UUVvians6baqSl7J9pkS9n1iPqF/BMc/x7lW5VeSFhVZEDq04T
+uWIzkkdqZERFt4MO71dJG4zf05adFZelz+hKLGr9nHL+vG2rYTj41j1BEMS6MvRH
+DoWwHzRG53SiulGDLVqWvn68YJul/5aByED+dfu6Il0cxFW3oE+C1e7tmdDGWgr8
+1lJtYudt8Q7WlF1/s7K3uNzOsksAEQEAAbQZT25lcmljIDxvbmVyaWNAb25lcmlj
+LmRlPokCVAQTAQgAPhYhBF7mPypxvxMs/jVn4d/+YV8oJMcgBQJhNOowAhsDBQkN
+KGiABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEN/+YV8oJMcgPMAP/RMGUKjx
+MIeiyf0vLnvGpTSdVMX9jdm8A7MmOex44U/AB0UfpQEoYpLX59EPvxsMBhQLMQmA
+zILF1GGRncfLNetRbxaKrXbNSplC2FMFbVnDneX9lzjXsw8MXxT8K0P8D9NDgoUb
+AMn6o1MXyye9TjtgCKOEqXxSUAU0z8sh9ruEt0GKevfhU5OlExxaRRx6E1SSsFHp
+To2qyxRj8uF+vFuKppBlHuhP8sbWRiANgiUdAHGbyLbTJhj9qX6BITt5C9vPqExo
+uJUfUtnQs3C6P1wfYKobEPKodY52eBemE1w4hDAZivN+5AEUsApaYcxwzks4Dr9A
+vBfLDSKGWG+yPobS/LWqoDAOnjGzmEkjVkPwIElBEhitDZdh3WpYFYU848AEpVG+
+m8tic3vp5BleBxjH2WDDVTsHsOaL3loJ3YAluFWHuAp/IKNMO5tnU4x8FbCv1hoe
+H5s/m80aThGcGwJOwN9YGdUIG9KtqufghVfiBvpn2q3XujpKmN52EopauQw3sUda
+0pD2Q7BnXH30ggihOPVuTF64TkLOe4nXLbsrKu0PQfHOZMSbLRYO36/rZD4KRMBF
+RW4Ex7w9ijCjjgPE82Bvrf/T8n5ije+2SqbYl/WMkZd8e6H3wvP9VlbBKE4wDKNY
+U5tjB97pY3fyiCv9/P+kNcUl4EWcDHDqvBQEuQINBGE06sABEADcZCBCxKKF7yMk
+qQjZrZiHOknhUoUOV6rc7CYBji+30MZ9s2ml522OhH5eCsplM1a6Ya04OJBUDJzF
+aAj6zhgMnkJLXv4VIvJvCGbPYDsRm1eRpx7xyXN2LWWSv6gJ2Hl0yRUp5UjSsrjD
+Ym4Om326MbhvqDzKktWB8XDgftzMd8tOkblJl5eLVHtMp/3SPoyRw+NGrf3+m029
+aYovxgcGIDdWZ1n62k5MQ+G4IxYs5SUSPKoYY//h2SrTtOE6eXiBatPnjh8klq1U
+5UOg/rAbzWXCO2gksXDFkEJ1DfkZvdXMBWqfWum8qlHODMuf1cqPdcoMF5EwhV74

Bug#1012524: libass: PGP signature and i386 assembly

[Oneric]

Source: libass
Version: 1:0.16.0-1
Severity: minor

Hi!

I noticed 7a4ee5d47246b80de8bb16ee75faf65bd9cd91b5 recently added the PGP 
key used to sign the last release for future verification. However, as the
0.16.0 release notes and the MAINTAINERS file note, future releases may
also be signed with a few other keys listed in the MAINTAINERS file.

To my understanding something like the following will allow uscan to match 
with any of the authorised keys (alternatively fetch from a keyserver by 
IDs as found in MAINTAINERS):

  alias gpg_t='gpg --no-default-keyring --keyring /tmp/tmp.keys'
  curl https://github.com/astiob.gpg | gpg_t --import -
  curl https://github.com/TheOneric.gpg | gpg_t --import -
  curl https://github.com/rcombs.gpg | gpg_t --import -
  gpg_t --export --export-options export-minimal --armor > 
debian/upstream/signing-key.asc
  # To verify which keys are included
  gpg --list-packets debian/upstream/signing-key.asc


While updating to 0.16.0 --with-pic was also added for i386 assembly.
However, it appears the nasm dependency is still limited to any-amd64,
after it was in the past[1] removed from i386 due to being not PIC.
The build log[2] confirms that no assembly is built on i386.
Can this be reenabled now that PIC assembly is supported?

Something to take note of is that previously assembly was enabled also for
kfreebsd-i386. Since then, we changed[3] the 32bit assembly configuration 
for BSD systems upstream to fix an issue with regular FreeBSD.
If it truly worked before on kfreebsd-i386 (other than non-PIC being at
odds with the guidelines), then this change may inadvertently have broken 
kfreebsd-i386.
I tried to test it, but the old kfreebsd-i386 installer I found always 
crashes or gets stuck early on in my VM and I wasn't able to set up a 
chroot or multiarch from a kfreebsd-amd64 host either. I can however 
confirm that on kfreebsd-64 the assembly works as intended.


Cheers

Oneric


[1]: 
https://salsa.debian.org/multimedia-team/libass/-/commit/d9eae1f0aefacf9b8c838cb5108dcc100f336e0b
[2]: 
https://buildd.debian.org/status/fetch.php?pkg=libass=i386=1%3A0.16.0-1=1652520467=0
[3]: 
https://github.com/libass/libass/commit/3855299b0721acfeb5391a140cd6df65ce2b73d2


signature.asc
Description: PGP signature