Bug#778723: uscan: non detached signatures
Osamu Aoki
osamu at debian.org
Thu Oct 1 15:56:15 UTC 2015
Good evening.
I am not sure what exactly is happening. Do you have solution? or not.
At least it works here with the URL mentioned.
On Wed, Sep 30, 2015 at 03:46:43PM +0200, Sandro Knauß wrote:
> Moin,
>
> it is not working.
>
> libkolabxml*.tar.gz.pgp is not encrypted it is only verified, thats why I added the 0001-verify-not-decrypt to uscan. But still it does not work [see output].
OK.
> i also attached the patch for libkolabxml to use the self mode.
>
> Regards,
>
> sandro
>
>
> Am Mittwoch, 30. September 2015, 20:27:10 schrieb Osamu Aoki:
> > On Tue, Sep 29, 2015 at 01:04:22AM +0200, Sandro Knauß wrote:
> > > Moin,
> > >
> > > > * Add dependency to gnupg|gnupg2 as suggest
> > > > * Add option: opts="pgpmode=self" (there is a place holder now.)
> > > > * Check availability of /usr/bin/gpg or /usr/bin/gpg2 if pgpmode=self
> > > > * match pattern to look for libkolabxml-([\d.]+)\.tar\.(?:gz|xz)\.gpg
> > > >
> > > > in http://mirror.kolabsys.com/pub/releases/
> > > >
> > > > * download the latest libkolabxml-1.1.1.tar.gz.gpg if it is now.
> > > > * run the following to see if authentic and get the tarball
> > > >
> > > > F=libkolabxml-1.1.1.tar.gz && gpg -o ${F%.gpg} --decrypt $F
> > > >
> > > > * Ensure to find generated file ${F%.gpg} (or ${F%.asc} ...) and
> > > >
> > > > run mk-origtargz to get libkolabxml_1.1.1.orog.tar.gz from it.
> > > >
> > > > Is this what you wish? If so this is very simple and will be added to
> > > > a multitar branch commit in near future.
> > >
> > > sounds like that what I had in mind.
> >
> > It is already committed. Please checkout from git repo.
> >
> > Osamu
> From caf885a7cdb5bc8758b0daf496d737fd3d0478d6 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Sandro=20Knau=C3=9F?= <bugs at sandroknauss.de>
> Date: Wed, 30 Sep 2015 14:42:52 +0200
> Subject: [PATCH] use pgpmode=self to verify signature
... so you added sig.
> +-----END PGP PUBLIC KEY BLOCK-----
> diff --git a/debian/watch b/debian/watch
> index 9f88268..a27ac44 100644
> --- a/debian/watch
> +++ b/debian/watch
> @@ -1,2 +1,3 @@
> version=3
> -http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz
> +opts="pgpmode=self" \
> +http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz.gpg
I tested on this URL and work.
> 2.1.4
>
> From ee8b56ba78cc0a1419e0fb6022dc7aff0dff68d8 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Sandro=20Knau=C3=9F?= <mail at sandroknauss.de>
> Date: Wed, 30 Sep 2015 14:50:20 +0200
> Subject: [PATCH] verify not decrypt
>
> ---
> scripts/uscan.pl | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/scripts/uscan.pl b/scripts/uscan.pl
> index 99f90d2..336f117 100755
> --- a/scripts/uscan.pl
> +++ b/scripts/uscan.pl
> @@ -3084,7 +3084,7 @@ EOF
> print "-- Verifying OpenPGP self signature of $sigfile_base and extract $newfile_base\n" if $verbose;
> system($havegpg, '--homedir', $gpghome,
> '--no-options', '-q', '--batch', '--no-default-keyring',
> - '--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o',
> + '--keyring', $keyring, '--trust-model', 'always', '--verify', '-o',
But decrypt works here nicely.
> "$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0
> or uscan_die("$progname: OpenPGP signature did not verify.\n");
> $previousfile_base = undef;
> --
> 2.1.4
Please run command under LANG=en_US.UTF-8
Also run with --debug as option.
> % ~/git/devscripts/scripts/uscan.pl --force-download --verbose
What! Are you running unstable?
> -- Scanning for watchfiles in .
> -- Found watchfile in ./debian
> -- In debian/watch, processing watchfile line:
> opts="pgpmode=self" http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz.gpg
> Newest version on remote site is 1.1.1, local version is 1.1.1
> => Package is up to date
> Newest version on remote site is 1.1.1, local version is 1.1.1
> => Forcing download as requested
> -- Downloading updated package libkolabxml-1.1.1.tar.gz.gpg
> -- Verifying OpenPGP self signature of libkolabxml-1.1.1.tar.gz.gpg and extract libkolabxml-1.1.1.tar.gz
> gpg: Signature made Fr 31 Jul 2015 10:52:40 CEST using DSA key ID 9342BF08
> gpg: Good signature from "Jeroen van Meeuwen (kanarip) <kanarip at kanarip.com>" [unknown]
> gpg: aka "Jeroen van Meeuwen (GMail) <kanarip at gmail.com>" [unknown]
> gpg: aka "Jeroen van Meeuwen (OGD) <j.van.meeuwen at ogd.nl>" [unknown]
> gpg: aka "Jeroen van Meeuwen (XS4All) <kanarip at xs4all.nl>" [unknown]
> gpg: aka "Jeroen van Meeuwen (GameDrome) <kanarip at gamedrome.com>" [unknown]
> gpg: aka "Jeroen van Meeuwen (PC Zone Clan) <kanarip at pczone-clan.nl>" [unknown]
> gpg: aka "Jeroen van Meeuwen (Fedora Unity) <kanarip at fedoraunity.org>" [unknown]
> gpg: aka "Jeroen van Meeuwen (Fedora Project) <kanarip at fedoraproject.org>" [unknown]
> gpg: aka "Jeroen van Meeuwen (Kolab Systems) (Kolab Systems AG) <vanmeeuwen at kolabsys.com>" [unknown]
> gpg: aka "Jeroen van Meeuwen (Ergo Project) (Ergo Project) <jeroen.van.meeuwen at ergo-project.org>" [unknown]
> -- Executing internal command
> mk-origtargz --package libkolabxml --version 1.1.1 --compression gzip --directory .. --copyright-file debian/copyright ../libkolabxml-1.1.1.tar.gz
> Could not read ../libkolabxml-1.1.1.tar.gz: Datei oder Verzeichnis nicht gefunden at /usr/bin/mk-origtargz line 320.
You changed to verify. Then no file generated. That is not too surprising.
> uscan.pl: Fehler: Fehler-Exitstatus von mk-origtargz --package libkolabxml --version 1.1.1 --compression gzip --directory .. --copyright-file debian/copyright ../libkolabxml-1.1.1.tar.gz war 2
google translate:
uscan.pl: error: error exit status of mk-origtargz --package libkolabxml
--version 1.1.1 --compression gzip --directory .. --copyright-file
debian / copyright ../libkolabxml-1.1.1.tar .gz was 2
Anyway,....
$ apt-get source libkolabxml
$ mv libkolabxml-1.1.1 libkolabxml
... remove upstream files and add signature
$ cd libkolabxml
$ uscan --verbose --force-download
-- Scanning for watchfiles in .
-- Found watchfile in ./debian
-- In debian/watch, processing watchfile line:
http://mirror.kolabsys.com/pub/releases/libkolabxml-([0-9\.]+)\.tar\.gz
Newest version on remote site is 1.1.1, local version is 1.1.1
=> Package is up to date
Newest version on remote site is 1.1.1, local version is 1.1.1
=> Forcing download as requested
-- Downloading updated package libkolabxml-1.1.1.tar.gz
-- Checking for common possible upstream OpenPGP signatures
libkolabxml: Possible OpenPGP signature found at:
http://mirror.kolabsys.com/pub/releases/libkolabxml-1.1.1.tar.gz.gpg.
Please consider adding opts=pgpsigurlmangle=s/$/.gpg/
to debian/watch. see uscan(1) for more details.
-- Executing internal command
mk-origtargz --package libkolabxml --version 1.1.1 --compression gzip --directory .. --copyright-file debian/copyright ../libkolabxml-1.1.1.tar.gz
-- Successfully downloaded updated package libkolabxml-1.1.1.tar.gz
-- Successfully symlinked ../libkolabxml-1.1.1.tar.gz to ../libkolabxml_1.1.1.orig.tar.gz.
-- Scan finished
Press any key to continue...
Please compile whole package using debuild. Otherswise you may be failing with libraries used.
Osamu
More information about the devscripts-devel
mailing list