[devscripts] 01/01: uscan: if signature available
This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts. commit bae7972c955d304599e84d44f37b29905d4fb36a Author: Osamu Aoki Date: Sun Aug 20 15:28:18 2017 +0900 uscan: if signature available Thanks Maximiliano Curia --- scripts/uscan.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/uscan.pl b/scripts/uscan.pl index 1584bc7..458e40e 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -3762,7 +3762,7 @@ EOF push @cmd, "--signature", $signature_available if ($signature_available != 0); push @cmd, "--signature-file", "$destdir/$sigfile" -if ($signature_available == 1 and $signature_available == 2); +if ($signature_available != 0); push @cmd, "--repack" if $options{'repack'}; push @cmd, "--component", $options{'component'} if defined $options{'component'}; push @cmd, "--compression", $compression; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
[devscripts] branch master updated (6e112e4 -> bae7972)
This is an automated email from the git hooks/post-receive script. osamu pushed a change to branch master in repository devscripts. from 6e112e4 uscan, mk-origtargz: detached signature handling new bae7972 uscan: if signature available The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: scripts/uscan.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
Processed: Bug#870281 marked as pending
Processing commands for cont...@bugs.debian.org: > tag 870281 pending Bug #870281 [devscripts] uscan: symlink/rename detached upstream signature files when symlinking/renaming the orig file Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 870281: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
Processed: Bug#832267 marked as pending
Processing commands for cont...@bugs.debian.org: > tag 832267 pending Bug #832267 [devscripts] uupdate: convert .sig to .asc Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 832267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832267 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
[devscripts] 03/05: uscan: reorganize to handle self-signature on tar.gz
This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts. commit 90e7504e7584486d8fb1e64c9ee7b66536d112a8 Author: Osamu Aoki Date: Sun Aug 20 03:01:40 2017 +0900 uscan: reorganize to handle self-signature on tar.gz --- scripts/uscan.pl | 63 +--- 1 file changed, 37 insertions(+), 26 deletions(-) diff --git a/scripts/uscan.pl b/scripts/uscan.pl index b20f714..1584bc7 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -3481,6 +3481,8 @@ EOF # Download tarball my $download_available; +my $signature_available; +my $sigfile; my $sigfile_base = $newfile_base; if ($options{'pgpmode'} ne 'previous') { # try download package @@ -3507,8 +3509,36 @@ EOF $download_available = 0; dehs_verbose "Not downloading upstream package: $newfile_base\n"; } +} +if ($options{'pgpmode'} eq 'self') { + $gpghome = tempdir(CLEANUP => 1); + $sigfile_base =~ s/^(.*?)\.[^\.]+$/$1/; # drop .gpg, .asc, ... + if ($signature == -1) { + uscan_warn("SKIP Checking OpenPGP signature (by request).\n"); + $download_available = -1; # can't proceed with self-signature archive + $signature_available = 0; + } elsif (! defined $keyring) { + uscan_die("FAIL Checking OpenPGP signature (no keyring).\n"); + } elsif ($download_available == 0) { + uscan_warn "FAIL Checking OpenPGP signature (no signed upstream tarball downloaded).\n"; + return 1; + } else { + uscan_verbose "Verifying OpenPGP self signature of $newfile_base and extract $sigfile_base\n"; + unless (system($havegpg, '--homedir', $gpghome, + '--no-options', '-q', '--batch', '--no-default-keyring', + '--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o', + "$destdir/$sigfile_base", "$destdir/$newfile_base") >> 8 == 0) { + uscan_die("OpenPGP signature did not verify.\n"); + } + # XXX FIXME XXX extract signature as detached signature to $destdir/$sigfile + $sigfile = $newfile_base; # XXX FIXME XXX place holder + $newfile_base = $sigfile_base; + $signature_available = 3; + } +} +if ($options{'pgpmode'} ne 'previous') { # Decompress archive if requested and applicable - if ($download_available and $options{'decompress'}) { + if ($download_available == 1 and $options{'decompress'}) { my $suffix = $sigfile_base; $suffix =~ s/.*?(\.gz|\.xz|\.bz2|\.lzma)?$/$1/; if ($suffix eq '.gz') { @@ -3552,8 +3582,6 @@ EOF # Download signature my $pgpsig_url; -my $sigfile; -my $signature_available; if (($options{'pgpmode'} eq 'default' or $options{'pgpmode'} eq 'auto') and $signature == 1) { uscan_verbose "Start checking for common possible upstream OpenPGP signature files\n"; foreach my $suffix (qw(asc gpg pgp sig sign)) { @@ -3649,27 +3677,6 @@ EOF $previous_newversion = $newversion; $previous_download_available = $download_available; } elsif ($options{'pgpmode'} eq 'self') { - $gpghome = tempdir(CLEANUP => 1); - $newfile_base = $sigfile_base; - $newfile_base =~ s/^(.*?)\.[^\.]+$/$1/; - if ($signature == -1) { - uscan_warn("SKIP Checking OpenPGP signature (by request).\n"); - } elsif (! defined $keyring) { - uscan_die("FAIL Checking OpenPGP signature (no keyring).\n"); - } elsif ($download_available == 0) { - uscan_warn "FAIL Checking OpenPGP signature (no signed upstream tarball downloaded).\n"; - return 1; - } else { - uscan_verbose "Verifying OpenPGP self signature of $sigfile_base and extract $newfile_base\n"; - unless (system($havegpg, '--homedir', $gpghome, - '--no-options', '-q', '--batch', '--no-default-keyring', - '--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o', - "$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0) { - uscan_die("OpenPGP signature did not verify.\n"); - } - # XXX FIXME XXX extract signature as detached signature to $destdir/$sigfile_base - $signature_available = 3; - } $previous_newfile_base = undef; $previous_sigfile_base = undef; $previous_newversion = undef; @@ -3714,6 +3721,10 @@ EOF uscan_warn "No upstream tarball downloaded. No further processing with mk_origtargz ...\n"; return 1; } +if ($download_available == -1) { + uscan_warn "No upstream tarball unpacked from self signature file. No further processing with mk_origtargz ...\n"; + return 1; +} if ($signature_available == 1 a
[devscripts] 04/05: mk-origtargz: initial signature handling
This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts. commit ec71d9feb04adc1a73471b24d09289e59e925cb8 Author: Osamu Aoki Date: Sun Aug 20 05:00:08 2017 +0900 mk-origtargz: initial signature handling --- scripts/mk-origtargz.pl | 55 + 1 file changed, 55 insertions(+) diff --git a/scripts/mk-origtargz.pl b/scripts/mk-origtargz.pl index d8eaf70..6bd0be5 100644 --- a/scripts/mk-origtargz.pl +++ b/scripts/mk-origtargz.pl @@ -104,6 +104,28 @@ Both the B<--exclude-file> and B<--copyright-file> options amend the list of patterns found in F. If you do not want to read that file, you will have to use B<--package>. +=item B<--signature> I + +Set I: + +=over + +=item 0 for no signature + +=item 1 for normal detached signature + +=item 2 for signature on decompressed + +=item 3 for self signature + +=back + +=item B<--signature-file> I + +Use I as the signature file corresponding to the Debian source +package to create a B (post-stretch) compatible signature file. +(optional) + =back =head2 Action options @@ -227,6 +249,9 @@ my $suffix = ''; my $upstream = undef; +my $signature = 0; +my $signature_file = ""; + # option parsing sub die_opts ($) { @@ -247,6 +272,8 @@ GetOptions( "component|c=s" => \$component, "exclude-file=s" => \@exclude_globs, "copyright-file=s" => \@copyright_files, +"signature=i" => \$signature, +"signature-file=s" => \$signature_file, "compression=s" => \$compression, "symlink" => \&setmode, "rename" => \&setmode, @@ -386,6 +413,10 @@ if ($is_tarfile and not $repack) { } } +# Gather information about the signature file. + +my $is_ascfile = $signature_file =~ /\.asc$/i; +my $is_gpgfile = $signature_file =~ /\.(gpg|pgp|sig|sign)$/i; # Now we know what the final filename will be my $destfilebase = sprintf "%s_%s.%s.tar", $package, $version, $orig; @@ -393,6 +424,30 @@ my $destfiletar = sprintf "%s/%s", $destdir, $destfilebase; my $destext = compression_get_property($compression, "file_ext"); my $destfile = sprintf "%s.%s", $destfiletar, $destext; +my $destsigfile; +if ($signature == 1) { +$destsigfile = sprintf "%s.asc", $destfile; +} elsif ($signature == 2) { +$destsigfile = sprintf "%s.asc", $destfiletar; +} else { +# XXX FIXME XXX place holder +$destsigfile = sprintf "%s.asc", $destfile; +} + +if ($signature != 0) { +if ($is_gpgfile) { + my $enarmor = `gpg --output - --enarmor $signature_file 2>&1`; + $? == 0 or die "mk-origtargz: Failed to convert $signature_file to *.asc\n"; + $enarmor =~ s/ARMORED FILE/SIGNATURE/; + $enarmor =~ /^Comment:/d; + open(DESTSIG, ">> $destsigfile") or die "mk-origtargz: Failed to open $destsigfile for append: $!\n"; + print DESTSIG $enarmor; +} else { + if (abs_path($signature_file) ne abs_path($destsigfile)) { + copy $signature_file, $destsigfile; + } +} +} # $upstream_tar is $upstream, unless the latter was a zip file. my $upstream_tar = $upstream; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
[devscripts] 01/05: uscan: MUT, allow "orig-" in the filename
This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts. commit b7c55eef6716b9c78bb28349434a7e942be8bcca Author: Osamu Aoki Date: Sun Aug 20 01:36:00 2017 +0900 uscan: MUT, allow "orig-" in the filename --- scripts/uscan.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/uscan.pl b/scripts/uscan.pl index 7d1c738..2cb803a 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -3744,7 +3744,7 @@ EOF $path = $1 if $mk_origtargz_out =~ /Successfully .* (?:to|as) ([^,]+)(?:,.*)?\.$/; $path = $1 if $mk_origtargz_out =~ /Leaving (.*) where it is/; $target = basename($path); - $common_mangled_newversion = $1 if $target =~ m/[^_]+_(.+)\.orig\.tar\.(?:gz|bz2|lzma|xz)$/; + $common_mangled_newversion = $1 if $target =~ m/[^_]+_(.+)\.orig(?:-.+)?\.tar\.(?:gz|bz2|lzma|xz)$/; uscan_verbose "New orig.tar.* tarball version (after mk-origtargz): $common_mangled_newversion\n"; } push @origtars, $target; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
[devscripts] 02/05: uscan: Copy and rename signature
This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts. commit 0932c8b42293a5f82cb0b4fbbc1cc6388e00699f Author: Osamu Aoki Date: Sun Aug 20 01:32:22 2017 +0900 uscan: Copy and rename signature Currently support only if the upstream sign with a detached signature --- scripts/uscan.pl | 30 +- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/scripts/uscan.pl b/scripts/uscan.pl index 2cb803a..b20f714 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -3507,7 +3507,6 @@ EOF $download_available = 0; dehs_verbose "Not downloading upstream package: $newfile_base\n"; } - # Decompress archive if requested and applicable if ($download_available and $options{'decompress'}) { my $suffix = $sigfile_base; @@ -3668,6 +3667,8 @@ EOF "$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0) { uscan_die("OpenPGP signature did not verify.\n"); } + # XXX FIXME XXX extract signature as detached signature to $destdir/$sigfile_base + $signature_available = 3; } $previous_newfile_base = undef; $previous_sigfile_base = undef; @@ -3713,7 +3714,30 @@ EOF uscan_warn "No upstream tarball downloaded. No further processing with mk_origtargz ...\n"; return 1; } +if ($signature_available == 1 and $options{'decompress'}) { + $signature_available = 2; +} +# +# upstream tar file and, if available, signature file are downloaded +# by parsing a watch file line. +# +# upstream tarball: $destdir/$newfile_base -- original tar.gz-like +# upstream tarball: $destdir/$sigfile_base -- decompressed tar if requested +# * for pgpmode=self-- the tarball as gpg extracted +# * for other cases -- the tarball as downloaded +# signature file: $destdir/$sigfile" +# * for $signature_available = 0-- no signature file +# * for $signature_available = 1-- normal signature file +# * for $signature_available = 2-- signature file on decompressed +# * for $signature_available = 3-- non-detached signature (XXX FIXME XXX) +# If pgpmode=self case in the above is fixed, below +# " and ($options{'pgpmode'} ne 'self')" may be dropped. +# New version after making the new orig[-component].tar.gz: +# $common_mangled_newversion +# -- this is true when repacksuffix isn't used. +# # Call mk-origtargz (renames, repacks, etc.) +# my $mk_origtargz_out; my $path = "$destdir/$newfile_base"; my $target = $newfile_base; @@ -3724,6 +3748,10 @@ EOF push @cmd, '--repack-suffix', $options{repacksuffix} if defined $options{repacksuffix}; push @cmd, "--rename" if $symlink eq "rename"; push @cmd, "--copy" if $symlink eq "copy"; + push @cmd, "--signature $signature_available" +if ($signature_available != 0); + push @cmd, "--signature-file $destdir/$sigfile" +if ($signature_available == 1 and $signature_available == 2); push @cmd, "--repack" if $options{'repack'}; push @cmd, "--component", $options{'component'} if defined $options{'component'}; push @cmd, "--compression", $compression; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
[devscripts] 05/05: uscan, mk-origtargz: detached signature handling
This is an automated email from the git hooks/post-receive script. osamu pushed a commit to branch master in repository devscripts. commit 6e112e42c28ae567a5565f33261bd769a2d98455 Author: Osamu Aoki Date: Sun Aug 20 06:51:16 2017 +0900 uscan, mk-origtargz: detached signature handling This leaves us with the non-detached signature handling as remaining task. --- debian/changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/changelog b/debian/changelog index 26b6214..70be47e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,6 +27,9 @@ devscripts (2.17.10) UNRELEASED; urgency=medium + Fix example URL for pagemangle. Closes: #864914 + Set $origcount to 0 for each watch file. Closes: #840232 + Don't fail on pgpmode=auto. Closes: #852537 ++ Rename and convert the detached signature with updated mk-origtargz. + * mk-origtargz ++ Rename and convert the detached signature. Closes: #832267, #870281 -- Mattia Rizzolo Tue, 25 Jul 2017 14:18:24 +0200 -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
[devscripts] branch master updated (d3582de -> 6e112e4)
This is an automated email from the git hooks/post-receive script. osamu pushed a change to branch master in repository devscripts. from d3582de uscan: reset count for each watchfile new b7c55ee uscan: MUT, allow "orig-" in the filename new 0932c8b uscan: Copy and rename signature new 90e7504 uscan: reorganize to handle self-signature on tar.gz new ec71d9f mk-origtargz: initial signature handling new 6e112e4 uscan, mk-origtargz: detached signature handling The 5 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: debian/changelog| 3 ++ scripts/mk-origtargz.pl | 55 +++ scripts/uscan.pl| 87 +++-- 3 files changed, 121 insertions(+), 24 deletions(-) -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
How to handle upstream tarbell signature
Hi, I was trying to update uscan and realized few problems which are not addressed by the discussion here. There are many things to consider. On Fri, Aug 18, 2017 at 02:43:58PM +0200, Mattia Rizzolo wrote: > On Fri, Aug 18, 2017 at 07:48:24AM -0400, Daniel Kahn Gillmor wrote: > > I confess that i've been taking the boring/silly/cheating way out and if > > upstream ships a detached binary signature as foo-1.2.3.tar.gz.sig, i've > > just been manually renaming it to foo_1.2.3.orig.tar.gz.asc (without > > even converting its contents to ASCII-armored form) and the rest of the > > toolchain seems to just happily accept it -- it'd be even nicer if dpkg > > and/or uscan was to normalize the contents to match the file extension. > > That's because TTBOMK there is *nothing* atm actually validating that > file, and AFAIK (please correct me if I'm wrong) dpkg-source just picks > up whatever file, no matter the contents. If the watch file is properly configured, uscan verifies signature. You should have upstream keyring stored in debian/upstream/signing-key.asc > > Lastly, it's conceivable that we might want to take an already-armored > > .asc, and "launder" the armor, to stabilize it (e.g. stripping > > non-cryptographically-relevant comments, other weird OpenPGP packets, > > etc, which could all be stuffed into the detached signature). > > I'd love if something did this for me, pretty much like I'd love > something like that does a pretty output to debian/upstream/signing-key > like > https://sources.debian.net/src/inkscape/0.92.2-1/debian/upstream/signing-key.asc/ > (that's > https://anonscm.debian.org/git/reproducible/misc.git/tree/dump-gpg-keys.sh) > > IOW: Guillem: I second merging that sig→asc converter into dpkg-source! > :) 1. There are different ways of signature * files used * detached signature gpg -sb (easy) * non-detached signature gpg -s(No answer) * format used * binary (.gpg, ...) (easy but who convert) * ascii (.asc) (easy) 2. What to do if upstream is repacked. * uscan can confirm but where to put the result in case it is repacked. * If we leave upstream keyring at debian/upstream/signing-key.asc, it has no value to the generated Debian packages. (A new *.asc can be added by maintainer but that's its useless since we upload with signed *.dsc. We need to look into debian/copyright to see if this is repacked or not. But people may use different way to repack. So it is confusing to have keyring. There should be clear way to identify if it is repackaged or not easily.) Does anyone have clear idea on "gpg -s" case for 1 and answer for 2? These affects how I write uscan. Osamu ___ devscripts-devel mailing list devscripts-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel