Bug#778723: uscan: non detached signatures

Osamu Aoki osamu at debian.org
Thu Oct 1 15:56:15 UTC 2015 

Good evening.

I am not sure what exactly is happening.  Do you have solution? or not.

At least it works here with the URL mentioned.

On Wed, Sep 30, 2015 at 03:46:43PM +0200, Sandro Knauß wrote:
> Moin,
> 
> it is not working.
> 
> libkolabxml*.tar.gz.pgp is not encrypted it is only verified, thats why I added the 0001-verify-not-decrypt to uscan. But still it does not work [see output].

OK.

> i also attached the patch for libkolabxml to use the self mode.
> 
> Regards,
> 
> sandro
> 
> 
> Am Mittwoch, 30. September 2015, 20:27:10 schrieb Osamu Aoki:
> > On Tue, Sep 29, 2015 at 01:04:22AM +0200, Sandro Knauß wrote:
> > > Moin,
> > > 
> > > > * Add dependency to gnupg|gnupg2 as suggest
> > > > * Add option: opts="pgpmode=self" (there is a place holder now.)
> > > > * Check availability of /usr/bin/gpg or /usr/bin/gpg2 if pgpmode=self
> > > > * match pattern to look for libkolabxml-([\d.]+)\.tar\.(?:gz|xz)\.gpg
> > > > 
> > > >   in http://mirror.kolabsys.com/pub/releases/
> > > > 
> > > > * download the latest libkolabxml-1.1.1.tar.gz.gpg if it is now.
> > > > * run the following to see if authentic and get the tarball
> > > > 
> > > >   F=libkolabxml-1.1.1.tar.gz && gpg -o ${F%.gpg} --decrypt $F
> > > > 
> > > > * Ensure to find generated file ${F%.gpg} (or ${F%.asc} ...) and
> > > > 
> > > >   run mk-origtargz to get libkolabxml_1.1.1.orog.tar.gz from it.
> > > > 
> > > > Is this what you wish?  If so this is very simple and will be added to
> > > > a multitar branch commit in near future.
> > > 
> > > sounds like that what I had in mind.
> > 
> > It is already committed.  Please checkout from git repo.
> > 
> > Osamu

> From caf885a7cdb5bc8758b0daf496d737fd3d0478d6 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Sandro=20Knau=C3=9F?= <bugs at sandroknauss.de>
> Date: Wed, 30 Sep 2015 14:42:52 +0200
> Subject: [PATCH] use pgpmode=self to verify signature
... so you added sig.
> +-----END PGP PUBLIC KEY BLOCK-----
> diff --git a/debian/watch b/debian/watch
> index 9f88268..a27ac44 100644
> --- a/debian/watch
> +++ b/debian/watch
> @@ -1,2 +1,3 @@
>  version=3
> -http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz
> +opts="pgpmode=self" \
> +http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz.gpg

I tested on this URL and work.

> 2.1.4
> 

> From ee8b56ba78cc0a1419e0fb6022dc7aff0dff68d8 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Sandro=20Knau=C3=9F?= <mail at sandroknauss.de>
> Date: Wed, 30 Sep 2015 14:50:20 +0200
> Subject: [PATCH] verify not decrypt
> 
> ---
>  scripts/uscan.pl | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/scripts/uscan.pl b/scripts/uscan.pl
> index 99f90d2..336f117 100755
> --- a/scripts/uscan.pl
> +++ b/scripts/uscan.pl
> @@ -3084,7 +3084,7 @@ EOF
>  	print "-- Verifying OpenPGP self signature of $sigfile_base and extract $newfile_base\n" if $verbose;
>  	system($havegpg, '--homedir', $gpghome,
>  	       '--no-options', '-q', '--batch', '--no-default-keyring',
> -	       '--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o',
> +	       '--keyring', $keyring, '--trust-model', 'always', '--verify', '-o',

But decrypt works here nicely.

>  	       "$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0
>  		    or uscan_die("$progname: OpenPGP signature did not verify.\n");
>  	$previousfile_base = undef;
> -- 
> 2.1.4


Please run command under LANG=en_US.UTF-8

Also run with --debug as option.

> % ~/git/devscripts/scripts/uscan.pl --force-download --verbose

What!  Are you running unstable?

> -- Scanning for watchfiles in .
> -- Found watchfile in ./debian
> -- In debian/watch, processing watchfile line:
>    opts="pgpmode=self" http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz.gpg
> Newest version on remote site is 1.1.1, local version is 1.1.1
>  => Package is up to date
> Newest version on remote site is 1.1.1, local version is 1.1.1
>  => Forcing download as requested
> -- Downloading updated package libkolabxml-1.1.1.tar.gz.gpg
> -- Verifying OpenPGP self signature of libkolabxml-1.1.1.tar.gz.gpg and extract libkolabxml-1.1.1.tar.gz
> gpg: Signature made Fr 31 Jul 2015 10:52:40 CEST using DSA key ID 9342BF08
> gpg: Good signature from "Jeroen van Meeuwen (kanarip) <kanarip at kanarip.com>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (GMail) <kanarip at gmail.com>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (OGD) <j.van.meeuwen at ogd.nl>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (XS4All) <kanarip at xs4all.nl>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (GameDrome) <kanarip at gamedrome.com>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (PC Zone Clan) <kanarip at pczone-clan.nl>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (Fedora Unity) <kanarip at fedoraunity.org>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (Fedora Project) <kanarip at fedoraproject.org>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (Kolab Systems) (Kolab Systems AG) <vanmeeuwen at kolabsys.com>" [unknown]
> gpg:                 aka "Jeroen van Meeuwen (Ergo Project) (Ergo Project) <jeroen.van.meeuwen at ergo-project.org>" [unknown]
> -- Executing internal command
>      mk-origtargz --package libkolabxml --version 1.1.1 --compression gzip --directory .. --copyright-file debian/copyright ../libkolabxml-1.1.1.tar.gz
> Could not read ../libkolabxml-1.1.1.tar.gz: Datei oder Verzeichnis nicht gefunden at /usr/bin/mk-origtargz line 320.

You changed to verify.  Then no file generated.  That is not too surprising.

> uscan.pl: Fehler: Fehler-Exitstatus von mk-origtargz --package libkolabxml --version 1.1.1 --compression gzip --directory .. --copyright-file debian/copyright ../libkolabxml-1.1.1.tar.gz war 2

google translate:
uscan.pl: error: error exit status of mk-origtargz --package libkolabxml
--version 1.1.1 --compression gzip --directory .. --copyright-file
debian / copyright ../libkolabxml-1.1.1.tar .gz was 2

Anyway,....
$ apt-get source libkolabxml
$ mv libkolabxml-1.1.1 libkolabxml
 ... remove upstream files and add signature
$ cd libkolabxml
$ uscan --verbose  --force-download
-- Scanning for watchfiles in .
-- Found watchfile in ./debian
-- In debian/watch, processing watchfile line:
   http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz
Newest version on remote site is 1.1.1, local version is 1.1.1
 => Package is up to date
Newest version on remote site is 1.1.1, local version is 1.1.1
 => Forcing download as requested
-- Downloading updated package libkolabxml-1.1.1.tar.gz
-- Checking for common possible upstream OpenPGP signatures
libkolabxml: Possible OpenPGP signature found at:
   http://mirror.kolabsys.com/pub/releases/libkolabxml-1.1.1.tar.gz.gpg.
  Please consider adding opts=pgpsigurlmangle=s/$/.gpg/
  to debian/watch.  see uscan(1) for more details.
-- Executing internal command
     mk-origtargz --package libkolabxml --version 1.1.1 --compression gzip --directory .. --copyright-file debian/copyright ../libkolabxml-1.1.1.tar.gz
-- Successfully downloaded updated package libkolabxml-1.1.1.tar.gz
-- Successfully symlinked ../libkolabxml-1.1.1.tar.gz to ../libkolabxml_1.1.1.orig.tar.gz.
-- Scan finished
Press any key to continue...


Please compile whole package using debuild.  Otherswise you may be failing with libraries used.


Osamu

More information about the devscripts-devel mailing list