[devscripts] 02/02: uscan: Inability to verify GPG signature is a fatal error
James McCoy
jamessan at debian.org
Fri Jul 7 04:27:57 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch master
in repository devscripts.
commit 3f3efc9e5bc7b0d0fab70f523ecd26ae6b94d103
Author: James McCoy <jamessan at debian.org>
Date: Fri Jul 7 00:23:50 2017 -0400
uscan: Inability to verify GPG signature is a fatal error
If uscan successfully downloads an archive and is configured to verify
the GPG signature, then any failure to do so will cause uscan to exit
with an error. This includes not having the keyring, inability to
download the detached signature, and the actual gpg(v) verification
failing.
Signed-off-by: James McCoy <jamessan at debian.org>
---
debian/changelog | 3 +++
scripts/uscan.pl | 16 ++++++----------
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 92081fe..55c03bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,9 @@ devscripts (2.17.7) UNRELEASED; urgency=medium
+ Use Dpkg::Version instead of shelling out to dpkg to compare upstream &
mangled versions. This improves the performance slightly and also
avoids dpkg's errors about malformed versions. (Closes: #866998)
+ + When GPG verification is configured but the verification fails (either
+ during actual verification or because of missing keyring/signature),
+ exit uscan with an error. (Closes: #841910)
* grep-excuses:
+ Use YAML::Syck to parse excuses.yaml instead of using regex to pick
apart update_excuses.html.
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index b5c93b9..ceeee71 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -3596,7 +3596,7 @@ EOF
uscan_verbose "Downloading OpenPGP signature from\n $pgpsig_url (pgpsigurlmangled)\n as $sigfile\n";
$signature_available = $downloader->($pgpsig_url, "$destdir/$sigfile", $options{'mode'});
} else { # -1, 0
- uscan_verbose "Don\'t downloading OpenPGP signature from\n $pgpsig_url (pgpsigurlmangled)\n as $sigfile\n";
+ uscan_verbose "Not downloading OpenPGP signature from\n $pgpsig_url (pgpsigurlmangled)\n as $sigfile\n";
$signature_available = (-e "$destdir/$sigfile") ? 1 : 0;
}
} elsif ($options{'pgpmode'} eq 'previous') {
@@ -3606,7 +3606,7 @@ EOF
uscan_verbose "Downloading OpenPGP signature from\n $pgpsig_url (pgpmode=previous)\n as $sigfile\n";
$signature_available = $downloader->($pgpsig_url, "$destdir/$sigfile", $options{'mode'});
} else { # -1, 0
- uscan_verbose "Don\'t downloading OpenPGP signature from\n $pgpsig_url (pgpmode=previous)\n as $sigfile\n";
+ uscan_verbose "Not downloading OpenPGP signature from\n $pgpsig_url (pgpmode=previous)\n as $sigfile\n";
$signature_available = (-e "$destdir/$sigfile") ? 1 : 0;
}
$download_available = $previous_download_available;
@@ -3620,14 +3620,12 @@ EOF
if ($signature == -1) {
uscan_verbose("SKIP Checking OpenPGP signature (by request).\n");
} elsif (! defined $keyring) {
- uscan_warn("FAIL Checking OpenPGP signature (no keyring).\n");
- return 1;
+ uscan_die("FAIL Checking OpenPGP signature (no keyring).\n");
} elsif ($download_available == 0) {
uscan_warn "FAIL Checking OpenPGP signature (no upstream tarball downloaded).\n";
return 1;
} elsif ($signature_available == 0) {
- uscan_warn("FAIL Checking OpenPGP signature (no signature file downloaded).\n");
- return 1;
+ uscan_die("FAIL Checking OpenPGP signature (no signature file downloaded).\n");
} else {
if ($signature ==0) {
uscan_verbose "Use the existing file: $sigfile\n";
@@ -3662,8 +3660,7 @@ EOF
if ($signature == -1) {
uscan_warn("SKIP Checking OpenPGP signature (by request).\n");
} elsif (! defined $keyring) {
- uscan_warn("FAIL Checking OpenPGP signature (no keyring).\n");
- return 1;
+ uscan_die("FAIL Checking OpenPGP signature (no keyring).\n");
} elsif ($download_available == 0) {
uscan_warn "FAIL Checking OpenPGP signature (no signed upstream tarball downloaded).\n";
return 1;
@@ -3673,8 +3670,7 @@ EOF
'--no-options', '-q', '--batch', '--no-default-keyring',
'--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o',
"$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0) {
- uscan_warn("OpenPGP signature did not verify.\n");
- return 1;
+ uscan_die("OpenPGP signature did not verify.\n");
}
}
$previous_newfile_base = undef;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git
More information about the devscripts-devel
mailing list