[SCM] Git repository for devscripts branch, master, updated. v2.13.2-7-ge82313c

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Jun 6 06:03:12 UTC 2013 

The following commit has been merged in the master branch:
commit e82313c718b7bc8b884a2617081c6638d88af37b
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Sat May 4 04:46:34 2013 -0400

    Enable OpenPGP signature verification (Closes: #610712)
    
    add a new opts= option for debian/watch files: pgpsigurlmangle.
    
    if this option is present and the file debian/upstream-signing-key.pgp
    exists (as an OpenPGP keyring) uscan will try to fetch the detached
    signature based on the mangled URL, and verify it against the key(s)
    stored in the keyring.
    
    Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>

diff --git a/README b/README
index 639030f..5e60c94 100644
--- a/README
+++ b/README
@@ -226,7 +226,9 @@ And now, in mostly alphabetical order, the scripts:
   also call a program such as uupdate to attempt to update the Debianised
   version based on the new update.  Whilst uscan could be used to release
   the updated version automatically, it is probably better not to without
-  testing it first. [libcrypt-ssleay-perl, libwww-perl, unzip, lzma, xz-utils]
+  testing it first.  Uscan can also verify detached OpenPGP signatures if 
+  upstream's signing key is known. [libcrypt-ssleay-perl, gpgv,
+  libwww-perl, unzip, lzma, xz-utils]
 
 - uupdate: Update the package with an archive or patches from
   an upstream author.  This will be of help if you have to update your
diff --git a/debian/changelog b/debian/changelog
index 1c7d6d9..57a99ac 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,9 @@ devscripts (2.13.3) UNRELEASED; urgency=low
 
   [ Chris Boot ]
   * bts: Fix no-mutt option. (Closes: #709999)
+  
+  [ Daniel Kahn Gillmor ]
+  * Enable OpenPGP signature verification (Closes: #610712)
 
  -- James McCoy <jamessan at debian.org>  Mon, 13 May 2013 22:43:59 -0400
 
diff --git a/debian/control b/debian/control
index 88a83ee..64fdde6 100644
--- a/debian/control
+++ b/debian/control
@@ -70,6 +70,7 @@ Suggests: bsd-mailx | mailx,
           cvs-buildpackage,
           devscripts-el,
           gnuplot,
+          gpgv,
           libauthen-sasl-perl,
           libfile-desktopentry-perl,
           libnet-smtp-ssl-perl,
@@ -186,7 +187,7 @@ Description: scripts to make the life of a Debian Package maintainer easier
     transitions for which uploads to unstable are currently blocked
     [libwww-perl, libyaml-syck-perl]
   - uscan: scan upstream sites for new releases of packages
-    [libcrypt-ssleay-perl, libwww-perl, unzip, lzma, xz-utils]
+    [libcrypt-ssleay-perl, gpgv, libwww-perl, unzip, lzma, xz-utils]
   - uupdate: integrate upstream changes into a source package [patch]
   - what-patch: determine what patch system, if any, a source package is using
     [patchutils]
diff --git a/scripts/uscan.1 b/scripts/uscan.1
index 99ee64c..f3b3be3 100644
--- a/scripts/uscan.1
+++ b/scripts/uscan.1
@@ -282,6 +282,16 @@ matched, then the version number is determined from this URL.
 Finally, any rules given by this option are applied before the actual
 download attempt is made. An example of its use is given in the
 examples section above.
+.TP
+\fBpgpsigurlmangle=\fIrules\fR
+If present, the supplied rules will be applied to the downloaded URL
+(after any downloadurlmangle rules, if present) to craft a new URL
+that will be used to fetch the detached OpenPGP signature file for the
+upstream tarball.  Some common rules might be `\fBs/$/.asc/\fR' or
+`\fBs/$/.pgp/\fR' or `\fBs/$/.gpg/\fR'.  This signature must be made
+by a key found in the keyring \fBdebian/upstream-signing-key.pgp\fR.
+If it is not valid, or not made by one of the listed keys, uscan will
+report an error.
 .SH "Directory name checking"
 Similarly to several other scripts in the \fBdevscripts\fR package,
 \fBuscan\fR explores the requested directory trees looking for
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 94fdf9a..298e5cd 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -57,6 +57,7 @@ eval { require Crypt::SSLeay; };
 if ($@) {
     $haveSSL = 0;
 }
+my $havegpgv = (-x '/usr/bin/gpgv');
 
 # Did we find any new upstream versions on our wanderings?
 our $found = 0;
@@ -762,6 +763,9 @@ sub process_watchline ($$$$$$)
 		elsif ($opt =~ /^downloadurlmangle\s*=\s*(.+)/) {
 		    @{$options{'downloadurlmangle'}} = split /;/, $1;
 		}
+		elsif ($opt =~ /^pgpsigurlmangle\s*=\s*(.+)/) {
+		    @{$options{'pgpsigurlmangle'}} = split /;/, $1;
+		}
 		else {
 		    uscan_warn "$progname warning: unrecognised option $opt\n";
 		}
@@ -794,6 +798,17 @@ sub process_watchline ($$$$$$)
 	    uscan_warn "$progname warning: downloadurlmangle option invalid for ftp sites,\n  ignoring in $watchfile:\n  $line\n";
 	}
 
+	# Check validity of options
+	if (exists $options{'pgpsigurlmangle'}) {
+	    if (not (-r 'debian/upstream-signing-key.pgp')) {
+		uscan_warn "$progname warning: pgpsigurlmangle option exists, but debian/upstream-signing-key.pgp does not exist,\n  ignoring in $watchfile:\n  $line\n";
+		delete $options{'pgpsigurlmangle'};
+	    } elsif (! $havegpgv) {
+		uscan_warn "$progname warning: pgpsignurlmangle option exists, but you must have gpgv installed to verify\n  in $watchfile, skipping:\n  $line\n";
+		return 1;
+	    }
+	}
+
 	# Handle sf.net addresses specially
 	if ($base =~ m%^http://sf\.net/%) {
 	    $base =~ s%^http://sf\.net/%http://qa.debian.org/watch/sf.php/%;
@@ -1124,6 +1139,7 @@ EOF
 
     # So what have we got to report now?
     my $upstream_url;
+    my $pgpsig_url;
     # Upstream URL?  Copying code from below - ugh.
     if ($site =~ m%^https?://%) {
 	# absolute URL?
@@ -1203,6 +1219,20 @@ EOF
 	$upstream_url = "$base$newfile";
     }
 
+    if (exists $options{'pgpsigurlmangle'}) {
+	$pgpsig_url = $upstream_url;
+	foreach my $pat (@{$options{'pgpsigurlmangle'}}) {
+	    if (! safe_replace(\$pgpsig_url, $pat)) {
+		uscan_warn "$progname: In $watchfile, potentially"
+		  . " unsafe or malformed pgpsigurlmangle"
+		  . " pattern:\n  '$pat'"
+		  . " found. Skipping watchline\n"
+		  . "  $line\n";
+		return 1;
+	    }
+	}
+    }
+
     $dehs_tags{'debian-uversion'} = $lastversion;
     $dehs_tags{'debian-mangled-uversion'} = $mangled_lastversion;
     $dehs_tags{'upstream-version'} = $newversion;
@@ -1348,6 +1378,27 @@ EOF
 	}
     }
 
+    if (defined $pgpsig_url) {
+	print "-- Downloading OpenPGP signature for package as $newfile_base.pgp\n" if $verbose;
+	my $sigrequest = HTTP::Request->new('GET', "$pgpsig_url");
+	my $sigresponse = $user_agent->request($sigrequest, "$destdir/$newfile_base.pgp");
+
+	if (! $sigresponse->is_success) {
+	    if (defined $pkg_dir) {
+		uscan_warn "$progname warning: In directory $pkg_dir, downloading OpenPGP signature\n  $upstream_url failed: " . $sigresponse->status_line . "\n";
+	    } else {
+		uscan_warn "$progname warning: Downloading OpenPGP signature\n $pgpsig_url failed:\n" . $sigresponse->status_line . "\n";
+	    }
+	    return 1;
+	}
+
+	print "-- Verifying OpenPGP signature $newfile_base.pgp for $newfile_base\n" if $verbose;
+	system('/usr/bin/gpgv', '--homedir', '/dev/null',
+	       '--keyring', 'debian/upstream-signing-key.pgp',
+	       "$destdir/$newfile_base.pgp", "$destdir/$newfile_base") >> 8 == 0
+		 or uscan_die("$progname warning: OpenPGP signature did not verify.\n");
+    }
+
     if ($repack and $newfile_base =~ /^(.*)\.(tar\.bz2|tbz2?)$/) {
 	print "-- Repacking from bzip2 to gzip\n" if $verbose;
 	my $newfile_base_gz = "$1.tar.gz";

-- 
Git repository for devscripts

More information about the devscripts-devel mailing list