Bug#738977: [uscan] How to use OpenPGP verification with a download from alioth.debian.org?

Ludovic Rousseau rousseau at debian.org
Fri Feb 14 13:04:52 UTC 2014 

Package: devscripts
Version: 2.14.1
Severity: normal

Hello,

I want to use the OpenPGP feature of uscan on a project hosted on
alioth.debian.org.

The download page is at https://alioth.debian.org/frs/?group_id=30105

The problem is that alioth generates strange URL.
For the version 1.4.15 of ccid the binary is at:
https://alioth.debian.org/frs/download.php/file/3989/ccid-1.4.15.tar.bz2
the signature is at:
https://alioth.debian.org/frs/download.php/file/3990/ccid-1.4.15.tar.bz2.asc

The name at the end of the URL is not meaningfull, only the number 3989
or 3990 is.

The URL https://alioth.debian.org/frs/download.php/file/3989/foobar will
also download the archive.


My question: how to write the pgpsigurlmangle rule in such a case?

My debian/watch file is:
version=3
opts=pgpsigurlmangle=s/$/.asc/ \
	https://alioth.debian.org/frs/?group_id=30105 \
	.*/ccid-(\d.*)\.(?:tgz|tar\.(?:gz|bz2|xz))

But that does not work as the signature will be downloaded using the URL
https://alioth.debian.org/frs/download.php/file/3989/ccid-1.4.15.tar.bz2.asc
This URL is not correct.

$ uscan --verbose --debug
[...]
uscan debug: matching pattern(s) (?:(?:https://alioth.debian.org)?\/frs\/\?group_id\=30105)?.*/ccid-(\d.*)\.(?:tgz|tar\.(?:gz|bz2|xz))
-- Found the following matching hrefs:
     /frs/download.php/file/3989/ccid-1.4.15.tar.bz2 (1.4.15)
     /frs/download.php/latestfile/112/ccid-1.4.15.tar.bz2 (1.4.15)
     /frs/download.php/file/3971/ccid-1.4.14.tar.bz2 (1.4.14)
     /frs/download.php/latestfile/112/ccid-1.4.14.tar.bz2 (1.4.14)
     /frs/download.php/file/3959/ccid-1.4.13.tar.bz2 (1.4.13)
     /frs/download.php/latestfile/112/ccid-1.4.13.tar.bz2 (1.4.13)
     /frs/download.php/file/3937/ccid-1.4.12.tar.bz2 (1.4.12)
     /frs/download.php/latestfile/112/ccid-1.4.12.tar.bz2 (1.4.12)
     /frs/download.php/file/3920/ccid-1.4.11.tar.bz2 (1.4.11)
     /frs/download.php/latestfile/112/ccid-1.4.11.tar.bz2 (1.4.11)
     /frs/download.php/file/3897/ccid-1.4.10.tar.bz2 (1.4.10)
     /frs/download.php/latestfile/112/ccid-1.4.10.tar.bz2 (1.4.10)
     /frs/download.php/file/3866/ccid-1.4.9.tar.bz2 (1.4.9)
     /frs/download.php/latestfile/112/ccid-1.4.9.tar.bz2 (1.4.9)
     /frs/download.php/file/3768/ccid-1.4.8.tar.bz2 (1.4.8)
     /frs/download.php/latestfile/112/ccid-1.4.8.tar.bz2 (1.4.8)
     /frs/download.php/file/3730/ccid-1.4.7.tar.bz2 (1.4.7)
     /frs/download.php/latestfile/112/ccid-1.4.7.tar.bz2 (1.4.7)
     /frs/download.php/file/3711/ccid-1.4.6.tar.bz2 (1.4.6)
     /frs/download.php/latestfile/112/ccid-1.4.6.tar.bz2 (1.4.6)
     /frs/download.php/file/3672/ccid-1.4.5.tar.bz2 (1.4.5)
     /frs/download.php/latestfile/112/ccid-1.4.5.tar.bz2 (1.4.5)
     /frs/download.php/file/3579/ccid-1.4.4.tar.bz2 (1.4.4)
     /frs/download.php/latestfile/112/ccid-1.4.4.tar.bz2 (1.4.4)
     /frs/download.php/file/3535/ccid-1.4.3.tar.bz2 (1.4.3)
     /frs/download.php/latestfile/112/ccid-1.4.3.tar.bz2 (1.4.3)
     /frs/download.php/file/3518/ccid-1.4.2.tar.bz2 (1.4.2)
     /frs/download.php/latestfile/112/ccid-1.4.2.tar.bz2 (1.4.2)
     /frs/download.php/file/3475/ccid-1.4.1.tar.bz2 (1.4.1)
     /frs/download.php/latestfile/112/ccid-1.4.1.tar.bz2 (1.4.1)
     /frs/download.php/file/3333/ccid-1.4.0.tar.bz2 (1.4.0)
     /frs/download.php/latestfile/112/ccid-1.4.0.tar.bz2 (1.4.0)
     /frs/download.php/file/3300/ccid-1.3.13.tar.bz2 (1.3.13)
     /frs/download.php/latestfile/112/ccid-1.3.13.tar.bz2 (1.3.13)
     /frs/download.php/file/3281/ccid-1.3.12.tar.bz2 (1.3.12)
     /frs/download.php/latestfile/112/ccid-1.3.12.tar.bz2 (1.3.12)
     /frs/download.php/file/3080/ccid-1.3.11.tar.bz2 (1.3.11)
     /frs/download.php/latestfile/112/ccid-1.3.11.tar.bz2 (1.3.11)
Newest version on remote site is 1.4.15, local version is 1.4.14
 => Newer version available from
    https://alioth.debian.org/frs/download.php/file/3989/ccid-1.4.15.tar.bz2
-- Downloading updated package ccid-1.4.15.tar.bz2
uscan debug: requesting URL https://alioth.debian.org/frs/download.php/file/3989/ccid-1.4.15.tar.bz2
-- Downloading OpenPGP signature for package as ccid-1.4.15.tar.bz2.pgp
uscan debug: requesting URL https://alioth.debian.org/frs/download.php/file/3989/ccid-1.4.15.tar.bz2.asc
-- Verifying OpenPGP signature ccid-1.4.15.tar.bz2.pgp for ccid-1.4.15.tar.bz2
gpgv: no valid OpenPGP data found.
gpgv: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
uscan warning: OpenPGP signature did not verify.

$ md5sum ../ccid-1.4.15.tar.bz2*
c195333c953f5530bc04a194b5ac1b71  ../ccid-1.4.15.tar.bz2
c195333c953f5530bc04a194b5ac1b71  ../ccid-1.4.15.tar.bz2.pgp


uscan would have to add ".asc" to the filename and parse again the html
page to find the URL for this file, not just add ".asc" at the end of
the URL for the archive.
Is that possible with uscan?

It would be a bad news if uscan OpenPGP signature check can't be used
with Debian own forge :-)


-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
Not present

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages devscripts depends on:
ii  dpkg-dev     1.17.6
ii  libc6        2.17-97
ii  perl         5.18.2-2
ii  python3      3.3.2-17
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  at                          3.1.14-1
ii  dctrl-tools                 2.23
ii  debian-keyring              2014.01.31
ii  dput                        0.9.6.4
ii  equivs                      2.0.9
ii  fakeroot                    1.18.4-2
ii  gnupg                       1.4.16-1
ii  libdistro-info-perl         0.12
ii  libencode-locale-perl       1.03-1
ii  libjson-perl                2.61-1
ii  liblwp-protocol-https-perl  6.04-2
ii  libparse-debcontrol-perl    2.005-4
ii  libsoap-lite-perl           1.09-1
ii  liburi-perl                 1.60-1
ii  libwww-perl                 6.05-2
ii  lintian                     2.5.21
ii  man-db                      2.6.6-1
ii  patch                       2.7.1-4
ii  patchutils                  0.3.2-3
ii  python3-debian              0.1.21+nmu2
ii  python3-magic               1:5.14-2
ii  sensible-utils              0.0.9
ii  strace                      4.5.20-2.3
ii  unzip                       6.0-10
ii  wdiff                       1.2.1-2
ii  wget                        1.15-1
ii  xz-utils                    5.1.1alpha+20120614-2

Versions of packages devscripts suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20131005cvs-1
ii  build-essential              11.6
pn  cvs-buildpackage             <none>
pn  devscripts-el                <none>
pn  gnuplot                      <none>
ii  gpgv                         1.4.16-1
ii  libauthen-sasl-perl          2.1500-1
ii  libfile-desktopentry-perl    0.07-1
ii  libnet-smtp-ssl-perl         1.01-3
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-1
ii  libyaml-syck-perl            1.27-2+b1
ii  mutt                         1.5.21-6.4
ii  openssh-client [ssh-client]  1:6.4p1-2
ii  svn-buildpackage             0.8.5
ii  w3m                          0.5.3-15

-- no debconf information

More information about the devscripts-devel mailing list