[devscripts] 02/02: uscan: Inability to verify GPG signature is a fatal error

Fri Jul 7 04:27:57 UTC 2017

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit 3f3efc9e5bc7b0d0fab70f523ecd26ae6b94d103
Author: James McCoy <jamessan at debian.org>
Date:   Fri Jul 7 00:23:50 2017 -0400

    uscan: Inability to verify GPG signature is a fatal error
    
    If uscan successfully downloads an archive and is configured to verify
    the GPG signature, then any failure to do so will cause uscan to exit
    with an error.  This includes not having the keyring, inability to
    download the detached signature, and the actual gpg(v) verification
    failing.
    
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/changelog |  3 +++
 scripts/uscan.pl | 16 ++++++----------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 92081fe..55c03bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -36,6 +36,9 @@ devscripts (2.17.7) UNRELEASED; urgency=medium
     + Use Dpkg::Version instead of shelling out to dpkg to compare upstream &
       mangled versions.  This improves the performance slightly and also
       avoids dpkg's errors about malformed versions.  (Closes: #866998)
+    + When GPG verification is configured but the verification fails (either
+      during actual verification or because of missing keyring/signature),
+      exit uscan with an error.  (Closes: #841910)
   * grep-excuses:
     + Use YAML::Syck to parse excuses.yaml instead of using regex to pick
       apart update_excuses.html.
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index b5c93b9..ceeee71 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -3596,7 +3596,7 @@ EOF
 	    uscan_verbose "Downloading OpenPGP signature from\n   $pgpsig_url (pgpsigurlmangled)\n   as $sigfile\n";
 	    $signature_available = $downloader->($pgpsig_url, "$destdir/$sigfile", $options{'mode'});
 	} else { # -1, 0
-	    uscan_verbose "Don\'t downloading OpenPGP signature from\n   $pgpsig_url (pgpsigurlmangled)\n   as $sigfile\n";
+	    uscan_verbose "Not downloading OpenPGP signature from\n   $pgpsig_url (pgpsigurlmangled)\n   as $sigfile\n";
 	    $signature_available = (-e "$destdir/$sigfile") ? 1 : 0;
 	}
     } elsif ($options{'pgpmode'} eq 'previous') {
@@ -3606,7 +3606,7 @@ EOF
 	    uscan_verbose "Downloading OpenPGP signature from\n   $pgpsig_url (pgpmode=previous)\n   as $sigfile\n";
 	    $signature_available = $downloader->($pgpsig_url, "$destdir/$sigfile", $options{'mode'});
 	} else { # -1, 0
-	    uscan_verbose "Don\'t downloading OpenPGP signature from\n   $pgpsig_url (pgpmode=previous)\n   as $sigfile\n";
+	    uscan_verbose "Not downloading OpenPGP signature from\n   $pgpsig_url (pgpmode=previous)\n   as $sigfile\n";
 	    $signature_available = (-e "$destdir/$sigfile") ? 1 : 0;
 	}
 	$download_available = $previous_download_available;
@@ -3620,14 +3620,12 @@ EOF
 	if ($signature == -1) {
 	    uscan_verbose("SKIP Checking OpenPGP signature (by request).\n");
 	} elsif (! defined $keyring) {
-	    uscan_warn("FAIL Checking OpenPGP signature (no keyring).\n");
-	    return 1;
+	    uscan_die("FAIL Checking OpenPGP signature (no keyring).\n");
 	} elsif ($download_available == 0) {
 	    uscan_warn "FAIL Checking OpenPGP signature (no upstream tarball downloaded).\n";
 	    return 1;
 	} elsif ($signature_available == 0) {
-	    uscan_warn("FAIL Checking OpenPGP signature (no signature file downloaded).\n");
-	    return 1;
+	    uscan_die("FAIL Checking OpenPGP signature (no signature file downloaded).\n");
 	} else {
 	    if ($signature ==0) {
 		uscan_verbose "Use the existing file: $sigfile\n";
@@ -3662,8 +3660,7 @@ EOF
 	if ($signature == -1) {
 	    uscan_warn("SKIP Checking OpenPGP signature (by request).\n");
 	} elsif (! defined $keyring) {
-	    uscan_warn("FAIL Checking OpenPGP signature (no keyring).\n");
-	    return 1;
+	    uscan_die("FAIL Checking OpenPGP signature (no keyring).\n");
 	} elsif ($download_available == 0) {
 	    uscan_warn "FAIL Checking OpenPGP signature (no signed upstream tarball downloaded).\n";
 	    return 1;
@@ -3673,8 +3670,7 @@ EOF
 		    '--no-options', '-q', '--batch', '--no-default-keyring',
 		    '--keyring', $keyring, '--trust-model', 'always', '--decrypt', '-o',
 		    "$destdir/$newfile_base", "$destdir/$sigfile_base") >> 8 == 0) {
-		uscan_warn("OpenPGP signature did not verify.\n");
-		return 1;
+		uscan_die("OpenPGP signature did not verify.\n");
 	    }
 	}
 	$previous_newfile_base = undef;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

