[devscripts] 01/03: When signing .changes, also sign .buildinfo files that they refer to
Ximin Luo
infinity0 at debian.org
Thu Feb 16 17:18:52 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch pu/debsign-buildinfo
in repository devscripts.
commit 0207d9493a24decfba5e533c2efa75e1e2e335db
Author: Ximin Luo <infinity0 at debian.org>
Date: Thu Feb 16 16:19:38 2017 +0100
When signing .changes, also sign .buildinfo files that they refer to
---
scripts/debsign.bash_completion | 1 +
scripts/debsign.sh | 312 ++++++++++++++++++++++++----------------
2 files changed, 193 insertions(+), 120 deletions(-)
diff --git a/scripts/debsign.bash_completion b/scripts/debsign.bash_completion
index 05edd8a..7d396f9 100644
--- a/scripts/debsign.bash_completion
+++ b/scripts/debsign.bash_completion
@@ -20,6 +20,7 @@ _debsign()
*)
COMPREPLY=( $(
compgen -G "${cur}*.changes"
+ compgen -G "${cur}*.buildinfo"
compgen -G "${cur}*.dsc"
compgen -G "${cur}*.commands"
compgen -W "$options" | grep "^$cur"
diff --git a/scripts/debsign.sh b/scripts/debsign.sh
index 403bb4c..91dd9b7 100755
--- a/scripts/debsign.sh
+++ b/scripts/debsign.sh
@@ -114,6 +114,10 @@ temp_filename() {
echo "$filename"
}
+to_bool() {
+ if "$@"; then echo true; else echo false; fi
+}
+
movefile() {
if [ -w "$(dirname "$2")" ]; then
mv -f -- "$1" "$2"
@@ -199,14 +203,24 @@ withecho () {
"$@"
}
+file_is_already_signed() {
+ test "$(head -n 1 "$1")" = "-----BEGIN PGP SIGNED MESSAGE-----"
+}
+
+unsignfile() {
+ UNSIGNED_FILE="$(temp_filename "$1" "unsigned")"
+
+ sed -e '1,/^$/d; /^$/,$d' "$1" > "$UNSIGNED_FILE"
+ movefile "$UNSIGNED_FILE" "$1"
+}
+
# Has the dsc file already been signed, perhaps from a previous, partially
# successful invocation of debsign? We give the user the option of
# resigning the file or accepting it as is. Returns success if already
# and failure if the file needs signing. Parameters: $1=filename,
# $2=file description for message (dsc or changes)
check_already_signed () {
- [ "`head -n 1 \"$1\"`" = "-----BEGIN PGP SIGNED MESSAGE-----" ] || \
- return 1
+ file_is_already_signed "$1" || return 1
local resign
if [ "$opt_re_sign" = "true" ]; then
@@ -228,10 +242,7 @@ check_already_signed () {
[ "$resign" = "true" ] || \
return 0
- UNSIGNED_FILE="$(temp_filename "$1" "unsigned")"
-
- sed -e '1,/^$/d; /^$/,$d' "$1" > "$UNSIGNED_FILE"
- movefile "$UNSIGNED_FILE" "$1"
+ withecho unsignfile "$1"
return 1
}
@@ -363,6 +374,119 @@ if [ -z "$signcommand" ]; then
exit 1
fi
+ensure_local_copy() {
+ local remotehost="$1"
+ local remotefile="$2"
+ local file="$3"
+ local type="$4"
+ if [ -n "$remotehost" ]
+ then
+ withecho scp "$remotehost:$remotefile" "$file"
+ fi
+
+ if [ ! -f "$file" -o ! -r "$file" ]
+ then
+ echo "$PROGNAME: Can't find or can't read $type file $file!" >&2
+ exit 1
+ fi
+}
+
+fixup_control() {
+ local filter_out="$1"
+ local childtype="$2"
+ local parenttype="$3"
+ local child="$4"
+ local parent="$5"
+ test -r "$child" || {
+ echo "$PROGNAME: Can't read .$childtype file $child!" >&2
+ return 1
+ }
+
+ local md5=$(md5sum "$child" | cut -d' ' -f1)
+ local sha1=$(sha1sum "$child" | cut -d' ' -f1)
+ local sha256=$(sha256sum "$child" | cut -d' ' -f1)
+ perl -i -pe 'BEGIN {
+ '" \$file=\"$child\"; \$md5=\"$md5\"; "'
+ '" \$sha1=\"$sha1\"; \$sha256=\"$sha256\"; "'
+ $size=(-s $file); ($base=$file) =~ s|.*/||;
+ $infiles=0; $insha1=0; $insha256=0; $format="";
+ }
+ if(/^Format:\s+(.*)/) {
+ $format=$1;
+ die "Unrecognised .$parenttype format: $format\n"
+ unless $format =~ /^\d+(\.\d+)*$/;
+ ($major, $minor) = split(/\./, $format);
+ $major+=0;$minor+=0;
+ die "Unsupported .$parenttype format: $format\n"
+ if('"$filter_out"');
+ }
+ /^Files:/i && ($infiles=1,$insha1=0,$insha256=0);
+ if(/^Checksums-Sha1:/i) {$insha1=1;$infiles=0;$insha256=0;}
+ elsif(/^Checksums-Sha256:/i) {
+ $insha256=1;$infiles=0;$insha1=0;
+ } elsif(/^Checksums-.*?:/i) {
+ die "Unknown checksum format: $_\n";
+ }
+ /^\s*$/ && ($infiles=0,$insha1=0,$insha256=0);
+ if ($infiles &&
+ /^ (\S+) (\d+) (\S+) (\S+) \Q$base\E\s*$/) {
+ $_ = " $md5 $size $3 $4 $base\n";
+ $infiles=0;
+ }
+ if ($insha1 &&
+ /^ (\S+) (\d+) \Q$base\E\s*$/) {
+ $_ = " $sha1 $size $base\n";
+ $insha1=0;
+ }
+ if ($insha256 &&
+ /^ (\S+) (\d+) \Q$base\E\s*$/) {
+ $_ = " $sha256 $size $base\n";
+ $insha256=0;
+ }' "$parent"
+}
+
+fixup_buildinfo() {
+ fixup_control '$major < 1 and $minor < 2' dsc buildinfo "$@"
+}
+
+fixup_changes() {
+ local childtype="$1"
+ shift
+ fixup_control '$major!=1 or $minor > 8 or $minor < 7' $childtype changes "$@"
+}
+
+withtempfile() {
+ local filetype="$1"
+ local mainfile="$2"
+ shift 2
+ local temp_file="$(temp_filename "$mainfile" "temp")"
+ cp "$mainfile" "$temp_file"
+ if "$@" "$temp_file"; then
+ if ! cmp -s "$mainfile" "$temp_file"; then
+ # emulate output of "withecho" but on the mainfile
+ echo " $@" "$mainfile" >&2
+ fi
+ movefile "$temp_file" "$mainfile"
+ else
+ rm "$temp_file"
+ echo "$PROGNAME: Error processing .$filetype file (see above)" >&2
+ exit 1
+ fi
+}
+
+guess_signas() {
+ if [ -n "$maint" ]
+ then maintainer="$maint"
+ # Try the new "Changed-By:" field first
+ else maintainer=`sed -n 's/^Changed-By: //p' $1`
+ fi
+ if [ -z "$maint" ]
+ then maintainer=`sed -n 's/^Maintainer: //p' $1`
+ fi
+
+ echo "${signkey:-$maintainer}"
+}
+
dosigning() {
# Do we have to download the changes file?
if [ -n "$remotehost" ]
@@ -371,10 +495,12 @@ dosigning() {
cd "$remotefilesdir"
remotechanges=$changes
+ remotebuildinfo=$buildinfo
remotedsc=$dsc
remotecommands=$commands
remotedir="`perl -e 'chomp($_="'"$dsc"'"); m%/% && s%/[^/]*$%% && print'`"
changes=`basename "$changes"`
+ buildinfo=`basename "$buildinfo"`
dsc=`basename "$dsc"`
commands=`basename "$commands"`
@@ -404,113 +530,68 @@ dosigning() {
if [ -n "$changes" ]
then
- if [ ! -f "$changes" -o ! -r "$changes" ]
- then
- echo "$PROGNAME: Can't find or can't read changes file $changes!" >&2
- exit 1
- fi
+ signas="$(guess_signas "$changes")"
+ hasdsc="$(to_bool grep -q `basename "$dsc"` "$changes")"
+ hasbuildinfo="$(to_bool grep -q `basename "$buildinfo"` "$changes")"
- check_already_signed "$changes" "changes" && {
+ ensure_local_copy "" "" "$changes" changes
+ if check_already_signed "$changes" "changes"; then
echo "Leaving current signature unchanged." >&2
- return
- }
- if [ -n "$maint" ]
- then maintainer="$maint"
- # Try the "Changed-By:" field first
- else maintainer=`sed -n 's/^Changed-By: //p' $changes`
- fi
- if [ -z "$maintainer" ]
- then maintainer=`sed -n 's/^Maintainer: //p' $changes`
- fi
-
- signas="${signkey:-$maintainer}"
-
- # Is there a dsc file listed in the changes file?
- if grep -q `basename "$dsc"` "$changes"
- then
- if [ -n "$remotehost" ]
- then
- withecho scp "$remotehost:$remotedsc" "$dsc"
- fi
-
- if [ ! -f "$dsc" -o ! -r "$dsc" ]
- then
- echo "$PROGNAME: Can't find or can't read dsc file $dsc!" >&2
- exit 1
- fi
- check_already_signed "$dsc" "dsc" || withecho signfile "$dsc" "$signas"
- dsc_md5=`md5sum $dsc | cut -d' ' -f1`
- dsc_sha1=`sha1sum $dsc | cut -d' ' -f1`
- dsc_sha256=`sha256sum $dsc | cut -d' ' -f1`
-
- temp_changes="$(temp_filename "$changes" "temp")"
- cp "$changes" "$temp_changes"
- if perl -i -pe 'BEGIN {
- '" \$dsc_file=\"$dsc\"; \$dsc_md5=\"$dsc_md5\"; "'
- '" \$dsc_sha1=\"$dsc_sha1\"; \$dsc_sha256=\"$dsc_sha256\"; "'
- $dsc_size=(-s $dsc_file); ($dsc_base=$dsc_file) =~ s|.*/||;
- $infiles=0; $insha1=0; $insha256=0; $format="";
- }
- if(/^Format:\s+(.*)/) {
- $format=$1;
- die "Unrecognised .changes format: $format\n"
- unless $format =~ /^\d+(\.\d+)*$/;
- ($major, $minor) = split(/\./, $format);
- $major+=0;$minor+=0;
- die "Unsupported .changes format: $format\n"
- if($major!=1 or $minor > 8 or $minor < 7);
- }
- /^Files:/i && ($infiles=1,$insha1=0,$insha256=0);
- if(/^Checksums-Sha1:/i) {$insha1=1;$infiles=0;$insha256=0;}
- elsif(/^Checksums-Sha256:/i) {
- $insha256=1;$infiles=0;$insha1=0;
- } elsif(/^Checksums-.*?:/i) {
- die "Unknown checksum format: $_\n";
- }
- /^\s*$/ && ($infiles=0,$insha1=0,$insha256=0);
- if ($infiles &&
- /^ (\S+) (\d+) (\S+) (\S+) \Q$dsc_base\E\s*$/) {
- $_ = " $dsc_md5 $dsc_size $3 $4 $dsc_base\n";
- $infiles=0;
- }
- if ($insha1 &&
- /^ (\S+) (\d+) \Q$dsc_base\E\s*$/) {
- $_ = " $dsc_sha1 $dsc_size $dsc_base\n";
- $insha1=0;
- }
- if ($insha256 &&
- /^ (\S+) (\d+) \Q$dsc_base\E\s*$/) {
- $_ = " $dsc_sha256 $dsc_size $dsc_base\n";
- $insha256=0;
- }' "$temp_changes"
- then
- movefile "$temp_changes" "$changes"
- else
- rm "$temp_changes"
- echo "$PROGNAME: Error processing .changes file (see above)" >&2
- exit 1
- fi
-
- withecho signfile "$changes" "$signas"
+ else
- if [ -n "$remotehost" ]
- then
- withecho scp "$changes" "$dsc" "$remotehost:$remotedir"
- PRECIOUS_FILES=$(($PRECIOUS_FILES - 2))
+ if $hasbuildinfo; then
+ ensure_local_copy "$remotehost" "$remotebuildinfo" "$buildinfo" buildinfo
+ if check_already_signed "$buildinfo" "buildinfo"; then
+ echo "Leaving current signature unchanged." >&2
+ else
+ if $hasdsc; then
+ ensure_local_copy "$remotehost" "$remotedsc" "$dsc" dsc
+ check_already_signed "$dsc" dsc || withecho signfile "$dsc" "$signas"
+ withtempfile "buildinfo" "$buildinfo" fixup_buildinfo "$dsc"
+ withtempfile "changes" "$changes" fixup_changes dsc "$dsc"
+ fi
+ withecho signfile "$buildinfo" "$signas"
+ withtempfile "changes" "$changes" fixup_changes buildinfo "$buildinfo"
+ fi
+ elif $hasdsc; then
+ ensure_local_copy "$remotehost" "$remotedsc" "$dsc" dsc
+ check_already_signed "$dsc" dsc || withecho signfile "$dsc" "$signas"
+ withtempfile "changes" "$changes" fixup_changes dsc "$dsc"
fi
- echo "Successfully signed dsc and changes files"
- else
withecho signfile "$changes" "$signas"
+ fi
- if [ -n "$remotehost" ]
- then
- withecho scp "$changes" "$remotehost:$remotedir"
- PRECIOUS_FILES=$(($PRECIOUS_FILES - 1))
- fi
+ case "$hasdsc $hasbuildinfo" in
+ "false false")
+ filetypes="changes file"
+ filessigned=1
+ withecho_scp() { withecho scp "$changes" "$@"; }
+ ;;
+ "true false")
+ filetypes="dsc and changes files"
+ filessigned=2
+ withecho_scp() { withecho scp "$changes" "$dsc" "$@"; }
+ ;;
+ "false true")
+ filetypes="buildinfo and changes files"
+ filessigned=2
+ withecho_scp() { withecho scp "$changes" "$buildinfo" "$@"; }
+ ;;
+ "true true")
+ filetypes="dsc, buildinfo and changes files"
+ filessigned=3
+ withecho_scp() { withecho scp "$changes" "$buildinfo" "$dsc" "$@"; }
+ ;;
+ esac
- echo "Successfully signed changes file"
+ if [ -n "$remotehost" ]
+ then
+ withecho_scp "$remotehost:$remotedir"
+ PRECIOUS_FILES=$(($PRECIOUS_FILES - filessigned))
fi
+
+ echo "Successfully signed $filetypes"
elif [ -n "$commands" ] # sign .commands file
then
if [ ! -f "$commands" -o ! -r "$commands" ]
@@ -580,27 +661,13 @@ for valid format" >&2;
echo "Successfully signed commands file"
else # only a dsc file to sign; much easier
- if [ ! -f "$dsc" -o ! -r "$dsc" ]
- then
- echo "$PROGNAME: Can't find or can't read dsc file $dsc!" >&2
- exit 1
- fi
+ signas="$(guess_signas "$changes")"
+ ensure_local_copy "" "" "$dsc" dsc
check_already_signed "$dsc" dsc && {
echo "Leaving current signature unchanged." >&2
return
}
- if [ -n "$maint" ]
- then maintainer="$maint"
- # Try the new "Changed-By:" field first
- else maintainer=`sed -n 's/^Changed-By: //p' $dsc`
- fi
- if [ -z "$maint" ]
- then maintainer=`sed -n 's/^Maintainer: //p' $dsc`
- fi
-
- signas="${signkey:-$maintainer}"
-
withecho signfile "$dsc" "$signas"
if [ -n "$remotehost" ]
@@ -654,9 +721,11 @@ case $# in
pv="${package}_${sversion}"
pva="${package}_${sversion}_${arch}"
dsc="$debsdir/$pv.dsc"
+ buildinfo="$debsdir/$pva.buildinfo"
changes="$debsdir/$pva.changes"
if [ -n "$multiarch" -o ! -r $changes ]; then
changes=$(ls "$debsdir/${package}_${sversion}_*+*.changes" "$debsdir/${package}_${sversion}_multi.changes" 2>/dev/null | head -1)
+ # TODO: what about buildinfo?
if [ -z "$multiarch" ]; then
if [ -n "$changes" ]; then
echo "$PROGNAME: could not find normal .changes file but found multiarch file:" >&2
@@ -679,17 +748,20 @@ case $# in
case "$1" in
*.dsc)
changes=
+ buildinfo=
dsc=$1
commands=
;;
*.changes)
changes=$1
+ buildinfo="${changes%.changes}.buildinfo"
dsc=`echo $changes | \
perl -pe 's/\.changes$/.dsc/; s/(.*)_(.*)_(.*)\.dsc/\1_\2.dsc/'`
commands=
;;
*.commands)
changes=
+ buildinfo=
dsc=
commands=$1
;;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git
More information about the devscripts-devel
mailing list