Bug#888046: devscripts: Support signatures against uncompressed tarballs
Osamu Aoki
osamu at debian.org
Wed Jan 24 14:44:50 UTC 2018
Hi,
I know I wrote code to check signature after decompression.
On Tue, Jan 23, 2018 at 10:46:55AM -0800, Vagrant Cascadian wrote:
> On 2018-01-23, Osamu Aoki wrote:
> > I am in a good mood to do my user support duty :-) So let me show.
...
> > The obvious way is to read the manpage of uscan. ... many ways but
> > something along
>
> I've read the uscan manpage quite a number of times, but even after
> using uscan for well over a decade and reading the manpage many times
> over the years, nothing really comes across as obvious. So there's a
> difference between reading the fine manual and comprehending
> it.
Please note manpage had major rewrite for the recent upload. Old one
certainly don't have such. Also signature checking are fairly new
feature.
> Fortunately, It's one of those things I get working once for a package
> and infrequently need to update it, so that's good.
Same here. I got sick of reading very difficult manpage. So I rewote
it.
> And yet...
>
> > version=4
> > opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
> > https://www.kernel.org/pub/software/utils/dtc/ \
> > @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \
> > debian uupdate
>
> Thanks for the suggestion...
Of course, I don't remember everything I did to uscan. So if fails,
RTFM I wrote when I remember how I implemented :-).
> with debian/watch:
>
> version=4
> opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
> https://www.kernel.org/pub/software/utils/dtc/ \
> dtc- at ANY_VERSION@@ARCHIVE_EXT@ \
> debian uupdate
>
> Using @PACKAGE@ didn't work because of upstream is named differently
> (device-tree-compiler vs. dtc).
>
> But even with that fixed/worked around:
>
> uscan: Newest version of device-tree-compiler on remote site is 1.4.6,
> local version is 1.4.5
> uscan: => Newer package available from
> https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
> gpgv: Signature made Tue Jan 2 22:12:20 2018 PST
> gpgv: using RSA key
> 75F46586AE61A66CC44E87DC6C38CACA20D9B392
> gpgv: BAD signature from "David Gibson <david at gibson.dropbear.id.au>"
> uscan die: OpenPGP signature did not verify.
can see there is another option described in manpage:
decompress
Decompress compressed archive before the pgp/gpg signature
verification.
So correct answer is:
version=4
opts="pgpmode=mangle, \
pgpsigurlmangle=s%tar\..z$%tar\.sign%,
decompress" \
https://www.kernel.org/pub/software/utils/dtc/ \
dtc- at ANY_VERSION@@ARCHIVE_EXT@ \
debian uupdate
Please also take care keyring by reading KEYRING FILE EXAMPLES.
Regards,
Osamu
More information about the devscripts-devel
mailing list