Bug#841910: uscan behaviour on multiple signatures
James McCoy
jamessan at debian.org
Fri Jul 7 04:38:46 UTC 2017
On Thu, Jul 06, 2017 at 09:16:50AM +0200, Guido Günther wrote:
> On Wed, Oct 26, 2016 at 06:08:28PM -0400, James McCoy wrote:
> > On Mon, Oct 24, 2016 at 01:25:03PM +0200, Bernhard Schmidt wrote:
> > > asterisk$ gpg --import < debian/upstream/signing-key.asc
> > > gpg: key DAB29B236B940F89: public key "Joshua Colp <jcolp at joshua-colp.com>" imported
> > > gpg: key 9C59F000777DCC45: public key "Kevin Harwell <kharwell at digium.com>" imported
> > > gpg: key 6CB44E557BD982D8: public key "Richard Mudgett <rmudgett at digium.com>" imported
> > > gpg: key 368AB332B59975F3: public key "George Joseph <gjoseph at digium.com>" imported
> > > gpg: Total number processed: 4
> > > gpg: imported: 4
> > >
> > > DAB29B236B940F89 is in signing-key.asc but there is no signature, and
> > > there is an additional signature from 8438CBA18D0CAA72
> > >
> > > When this happens uscan exits with rc=0, but does not process the file
> > > further without any meaningful error message.
> >
> > Indeed, uscan always exits with 0 if it found a newer version upstream.
> > When support for gpg verification was added, there wasn't an exit code
> > added to indicate that the verification failed.
>
> This is IMHO a security issues since it violates the principle of least
> surprise and makes it hard to use in an automated way. Can uscan be
> changed to exit non zero in case all signatures fail to validate? Maybe
> with a separate option (--fail-on-bad-sig) ?
I'ved changed this behavior with
https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=3f3efc9
such that signature verification failures are fatal.
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
More information about the devscripts-devel
mailing list