[dput-ng-maint] Bug#880462: [PATCH] gpg: run debsign on unsigned changes files
Michael Stapelberg
stapelberg at debian.org
Tue Oct 31 20:27:21 UTC 2017
Package: dput-ng
Version: 1.15
Severity: wishlist
Tags: patch
Instead of complaining about a missing signature, let’s pro-actively create one,
just like dpkg-buildpackage.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, mipsel, arm64
Kernel: Linux 4.13.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dput-ng depends on:
ii python 2.7.13-2
ii python-dput 1.15
Versions of packages dput-ng recommends:
ii bash-completion 1:2.1-4.3
ii python-paramiko 2.0.0-1
dput-ng suggests no packages.
-- no debconf information
-------------- next part --------------
>From 711c5416497218acf43bd43ea4b8d45b998eb5f2 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg at debian.org>
Date: Tue, 31 Oct 2017 21:19:33 +0100
Subject: [PATCH 2/2] gpg: run debsign on unsigned changes files
---
dput/changes.py | 10 +++++-----
dput/exceptions.py | 5 ++++-
dput/hooks/gpg.py | 53 +++++++++++++++++++++++++++++++++--------------------
3 files changed, 42 insertions(+), 26 deletions(-)
diff --git a/dput/changes.py b/dput/changes.py
index a79315d..e2b1491 100644
--- a/dput/changes.py
+++ b/dput/changes.py
@@ -256,7 +256,6 @@ class Changes(object):
# contains verbose human readable GPG information
if self.is_python3:
gpg_output_stderr = str(gpg_output_stderr, encoding='utf8')
- print(gpg_output_stderr)
if self.is_python3:
gpg_output = gpg_output.decode(encoding='UTF-8')
@@ -264,14 +263,15 @@ class Changes(object):
if gpg_output.count('[GNUPG:] GOODSIG'):
pass
elif gpg_output.count('[GNUPG:] BADSIG'):
- raise ChangesFileException("Bad signature")
+ raise ChangesFileException("Bad signature", gpg_output_stderr)
elif gpg_output.count('[GNUPG:] ERRSIG'):
- raise ChangesFileException("Error verifying signature")
+ raise ChangesFileException("Error verifying signature",
+ gpg_output_stderr)
elif gpg_output.count('[GNUPG:] NODATA'):
- raise ChangesFileException("No signature on")
+ raise ChangesFileException("No signature on", gpg_output_stderr)
else:
raise ChangesFileException(
- "Unknown problem while verifying signature"
+ "Unknown problem while verifying signature", gpg_output_stderr
)
key = None
diff --git a/dput/exceptions.py b/dput/exceptions.py
index 1817b7a..44d7651 100644
--- a/dput/exceptions.py
+++ b/dput/exceptions.py
@@ -64,7 +64,10 @@ class ChangesFileException(DputError):
Thrown when there's an error processing / verifying a .changes file
(most often via the :class:`dput.changes.Changes` object)
"""
- pass
+
+ def __init__(self, message, gpg_stderr=None):
+ super(ChangesFileException, self).__init__(message)
+ self.gpg_stderr = gpg_stderr
class DscFileException(DputError):
diff --git a/dput/hooks/gpg.py b/dput/hooks/gpg.py
index 71fddc5..7e277f6 100644
--- a/dput/hooks/gpg.py
+++ b/dput/hooks/gpg.py
@@ -18,6 +18,10 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.
+import os
+import subprocess
+
+import dput.changes
from dput.core import logger
from dput.exceptions import (ChangesFileException, HookException)
@@ -65,25 +69,34 @@ def check_gpg_signature(changes, profile, interface):
try:
key = changes.validate_signature()
- if 'allowed_keys' in gpg:
- allowed_keys = gpg['allowed_keys']
-
- found = False
- for k in allowed_keys:
- if k == key[-len(k):]:
- logger.info("Key %s is trusted to upload to this host." % (
- k
- ))
- found = True
-
- if not found:
- raise GPGCheckerError("Key %s is not in %s" % (
- key,
- allowed_keys
+ except ChangesFileException as e:
+ # Sign unsigned files using debsign:
+ changes_file = changes.get_changes_file()
+ if subprocess.call(['debsign', changes_file]) == 0:
+ changes = dput.changes.parse_changes_file(
+ changes_file,
+ os.path.dirname(changes_file)
+ )
+ try:
+ key = changes.validate_signature()
+ except ChangesFileException as e:
+ if e.gpg_stderr:
+ print e.gpg_stderr
+ raise e
+
+ if 'allowed_keys' in gpg:
+ allowed_keys = gpg['allowed_keys']
+
+ found = False
+ for k in allowed_keys:
+ if k == key[-len(k):]:
+ logger.info("Key %s is trusted to upload to this host." % (
+ k
))
+ found = True
- except ChangesFileException as e:
- raise GPGCheckerError(
- "No valid signature on %s: %s" % (changes.get_filename(),
- e)
- )
+ if not found:
+ raise GPGCheckerError("Key %s is not in %s" % (
+ key,
+ allowed_keys
+ ))
--
2.14.2
More information about the dput-ng-maint
mailing list