Bug#812860: /usr/bin/uscan: [uscan] failure to download and verify package.tar.xz with package.sign
Uwe Kleine-König
ukleinek at debian.org
Wed Jan 27 10:36:52 UTC 2016
Package: devscripts
Version: 2.15.10
Severity: normal
File: /usr/bin/uscan
Control: user adn+deb at diwi.org
Control: usertag -1 + uscan
Hello,
I started experimenting with uscan's pgp mechanism to verfiy the
signature of rt-tests. You can reproduce my tests using:
debcheckout rt-tests
cd rt-tests
echo > debian/watch 'version=4'
echo >> debian/watch
echo >> debian/watch 'opts="pgpsigurlmangle=s%.xz$%.sign%, decompress" \'
echo >> debian/watch 'http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-(.*)\.tar\.xz'
now running
uscan --debug
ends in
uscan: Downloading OpenPGP signature from
http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign (pgpsigurlmangled)
as rt-tests-0.96.tar.xz.pgp
uscan info: Requesting URL:
http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign
uscan warn: FAIL Checking OpenPGP signature (no upstream tarball downloaded).
uscan info: Scan finished
(Here I would have expected a more verbose output to explain the FAIL.)
My expectations is that uscan downloads rt-tests-0.96.tar.xz and
rt-tests-0.96.tar.sign, does something like:
zcat rt-tests-0.96.tar.xz | gpg --verify rt-tests-0.96.tar.sign -
with the right keyring added to the mix and then links it to
rt-tests_0.96.orig.tar.xz.
When doing:
cd ..
wget http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.xz
cd rt-tests
and starting uscan again I get:
uscan: uscan (version 2.15.10) See uscan(1) for help
uscan: Scan watch files in .
uscan: ./debian/changelog sets package="rt-tests" version="0.96"
uscan: Newest version on remote site is 0.96, local version is 0.96
uscan: => Package is up to date
uscan: Don't download and use the existing file: rt-tests-0.96.tar.xz
uscan: Downloading OpenPGP signature from
http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign (pgpsigurlmangled)
as rt-tests-0.96.tar.pgp
gpgv: Signature made Thu 22 Oct 2015 12:41:14 PM CEST using RSA key ID 639D2D16
gpgv: Good signature from "John Kacur <jkacur at gmail.com>"
gpgv: aka "John Kacur <jkacur at redhat.com>"
uscan: Successfully downloaded package rt-tests-0.96.tar.xz
Could not read ../rt-tests-0.96.tar.xz: No such file or directory at /usr/bin/mk-origtargz line 361.
uscan: error: mk-origtargz --package rt-tests --version 0.96 --compression gzip --directory .. --copyright-file debian/copyright ../rt-tests-0.96.tar.xz gave error exit status 2
where the problem seems to be that uscan decompresses the archive but in
the same go removes the tar.xz for mk-origtargz.
Without decompress in the options the signature verification obviously
fails.
Is this just me using uscan in a wrong way, or is there something fishy
with uscan? In the first case an example would be great.
Best regards
Uwe
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
BTS_CACHE=no
DEBCHANGE_RELEASE_HEURISTIC=changelog
DEBSIGN_KEYID=32669bd6
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (800, 'testing'), (600, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.4
ii libc6 2.21-6
ii perl 5.22.1-4
pn python3:any <none>
Versions of packages devscripts recommends:
ii apt 1.2
ii at 3.1.18-2
ii curl 7.46.0-1
ii dctrl-tools 2.24-1
ii debian-keyring 2016.01.20
ii dput-ng [dput] 1.10
ii equivs 2.0.9+nmu1
ii fakeroot 1.20.2-1
ii file 1:5.25-2
ii gnupg 1.4.20-1
ii gnupg2 2.0.28-3
ii libdistro-info-perl 0.14
ii libencode-locale-perl 1.05-1
ii libjson-perl 2.90-1
ii liblwp-protocol-https-perl 6.06-2
ii libsoap-lite-perl 1.19-1
ii liburi-perl 1.71-1
ii libwww-perl 6.15-1
ii lintian 2.5.39.1
ii man-db 2.7.5-1
ii patch 2.7.5-1
ii patchutils 0.3.4-1
ii python3-debian 0.1.27
ii python3-magic 1:5.25-2
ii sensible-utils 0.0.9
ii strace 4.10-3
ii unzip 6.0-20
ii wdiff 1.2.2-1+b1
ii wget 1.17.1-1
ii xz-utils 5.1.1alpha+20120614-2.1
Versions of packages devscripts suggests:
ii build-essential 11.7
pn cvs-buildpackage <none>
pn debbindiff <none>
pn devscripts-el <none>
pn gnuplot <none>
ii gpgv 1.4.20-1
ii libauthen-sasl-perl 2.1600-1
ii libfile-desktopentry-perl 0.22-1
ii libnet-smtp-ssl-perl 1.03-1
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
pn mozilla-devscripts <none>
ii mutt 1.5.24-1
ii openssh-client [ssh-client] 1:7.1p2-2
ii s-nail [mailx] 14.8.6-1
pn svn-buildpackage <none>
pn w3m <none>
-- no debconf information
More information about the devscripts-devel
mailing list