Bug#800704: [uscan] please allow multiple pgpsigmangleurl for a single line

Osamu Aoki osamu at debian.org
Wed Oct 7 12:38:25 UTC 2015 

Hi,

PGP signature check can be used if only we have such file available in
the upstream archive.

> This is my current watchfile:
> 
> ---------------------------------------------------------
> version=4
> 
> opts="\
> uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha|b|a)[\-\.]?\d*)$/$1~$2/, \
> dversionmangle=s/\+(debian|dfsg|ds|deb)\d*$//, \
> pgpmode=next" \
> https://launchpad.net/inkscape (?:.*/)?inkscape[_\-\.]?(\d\S+)\.(?:tgz|txz|tar\.(?:bz2|gz|z2|xz)) debian
> 
> opts="pgpmode=previous" https://launchpad.net/inkscape (?:.*/)?inkscape[_\-\.]?(\d\S+)\.(?:tgz|txz|tar\.(?:bz2|gz|z2|xz)).(?:asc|pgp|gpg|sig) previous uupdate
> ---------------------------------------------------------

https://launchpad.net/inkscape has no link to sigfile
 
> but:
> 
> % ~/devel/devscripts/devscripts/scripts/uscan.pl --verbose --report --debug
> [...]
...
> uscan.pl warning: Unable to set versionmode=prev for the line without opts=pgpmode=prev
>   in debian/watch, skipping:

I understand that this error message can be improved.

>   https://launchpad.net/inkscape (?:.*/)?inkscape[_\-\.]?(\d\S+)\.(?:tgz|txz|tar\.(?:bz2|gz|z2|xz)).(?:asc|pgp|gpg|sig) previous uupdate
> -- Scan finished

There is no link from https://launchpad.net/inkscape as I see web page.
uscan can not find sig file.

Of course human is smarter.  Signature is only published on its version
specific release note such as here
https://inkscape.org/en/gallery/item/3860/ as
https://inkscape.global.ssl.fastly.net/media/resources/sigs/inkscape-0.91.tar.bz2.sig

The directory of signature file is not accessible so that is not
usable... nor there is any computer usable page listing URL of
signature.  The best you can is to ask upstream to publish signature
file URL at https://inkscape.org/en/download/source/ together with
tar.gz URL.  Or update launchpad page to publish signature URL......

   !!! WAIT !!!  !!! I FIND IT !!!

Why didn't you use this page to make uscan watch file.

  https://launchpad.net/inkscape/+download

This watch URL with the rest the same as your watch file and getting the
public key from https://inkscape.org/en/download/

$ uscan
pkg: Newer version (0.91) available on remote site:
  https://launchpad.net/inkscape/0.91.x/0.91/+download/inkscape-0.91.tar.gz
  (local version is 0.0)
Successfully downloaded updated package inkscape-0.91.tar.gz
Successfully symlinked ../inkscape-0.91.tar.gz to ../pkg_0.91.orig.tar.gz.
pkg: Newer version (0.91) available on remote site:
  https://launchpad.net/inkscape/0.91.x/0.91/+download/inkscape-0.91.tar.gz.sig
  (local version is 0~0~0~0~0~0dummy)
gpgv: Signature made Wed 28 Jan 2015 04:57:21 PM JST using DSA key ID E0E67611
gpgv: Good signature from "Bryce Harrington <bryce.harrington at ubuntu.com>"
gpgv:                 aka "Bryce Harrington <bryce at bryceharrington.org>"
gpgv:                 aka "Bryce Harrington <bryce at canonical.com>"
gpgv:                 aka "Bryce Harrington <bryce.harrington at canonical.com>"
gpgv:                 aka "Bryce Harrington <bryce at ubuntu.com>"
Successfully downloaded updated package inkscape-0.91.tar.gz.sig
uupdate: debian/source/format is "3.0 (quilt)".
uupdate: Auto-generating pkg_0.0-1.debian.tar.xz
dpkg-source: info: extracting pkg in pkg-0.91
dpkg-source: info: unpacking pkg_0.91.orig.tar.gz
dpkg-source: info: unpacking pkg_0.91-1.debian.tar.xz
Remember: Your current directory is changed back to the old source tree!
Do a "cd ../pkg-0.91" to see the new source tree and

So it works.  (Obviously, I am testing from a bogus test package.)

Maybe adding how to marge two keys into one keyring may be good idea.
Also enabling just to check signature with existing tarball is nice.

Maybe after these, let me ask merging this branch into main.

Osamu

More information about the devscripts-devel mailing list