[dpkg] 140/200: dpkg-buildpackage: Add support for signed .buildinfo files
Ximin Luo
infinity0 at debian.org
Wed Apr 5 15:17:29 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch master
in repository dpkg.
commit a82a935a837a7d4c55a5dbb7281dbce87f0eeeb6
Author: Guillem Jover <guillem at debian.org>
Date: Thu Jan 26 13:52:32 2017 +0100
dpkg-buildpackage: Add support for signed .buildinfo files
Add new options -ui and --unsigned-buildinfo.
Closes: #843925
---
debian/changelog | 2 ++
man/dpkg-buildpackage.man | 18 ++++++++++-----
scripts/dpkg-buildpackage.pl | 54 ++++++++++++++++++++++++++++++++-----------
scripts/t/dpkg_buildpackage.t | 1 +
4 files changed, 56 insertions(+), 19 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index cd673af..a605d7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -38,6 +38,8 @@ dpkg (1.18.19) UNRELEASED; urgency=medium
* Fix parsing of Pre-Depends and Depends in dpkg-genbuildinfo, so that
the code parses both and not just the first to appear in the stanza.
Based on a patch by Johannes Schauer <josch at debian.org>.
+ * Add support for signed .buildinfo files to dpkg-buildpackage. Add new
+ -ui and --unsigned-buildinfo options. Closes: #843925
* Portability:
- On GNU/Hurd try to use the new process executable name attribute from
libps, to properly match on start-stop-daemon --exec.
diff --git a/man/dpkg-buildpackage.man b/man/dpkg-buildpackage.man
index 22c8803..45355bb 100644
--- a/man/dpkg-buildpackage.man
+++ b/man/dpkg-buildpackage.man
@@ -90,11 +90,12 @@ It runs the \fBcheck\fP hook and calls a package checker for the
\fB.changes\fP file (if a command is specified in \fBDEB_CHECK_COMMAND\fP or
with \fB\-\-check\-command\fP).
.IP \fB11.\fP 3
-It runs the \fBsign\fP hook and calls \fBgpg2\fP or \fBgpg\fP to sign
-the \fB.dsc\fP file (if any, unless \fB\-us\fP or \fB\-\-unsigned\-source\fP
-is specified or on UNRELEASED builds), and the \fB.changes\fP file
-(unless \fB\-uc\fP or \fB\-\-unsigned\-changes\fP is specified or on
-UNRELEASED builds).
+It runs the \fBsign\fP hook and calls \fBgpg2\fP or \fBgpg\fP (as long as it
+is not an UNRELEASED build) to sign the \fB.dsc\fP file (if any, unless
+\fB\-us\fP or \fB\-\-unsigned\-source\fP is specified), the \fB.buildinfo\fP
+file (unless \fB\-ui\fP or \fB\-\-unsigned\-buildinfo\fP is specified) and
+the \fB.changes\fP file (unless \fB\-uc\fP or \fB\-\-unsigned\-changes\fP
+is specified).
.IP \fB12.\fP 3
It runs the \fBdone\fP hook.
.
@@ -396,12 +397,17 @@ Specify a key-ID to use when signing packages (long option since dpkg 1.18.8).
.BR \-us ", " \-\-unsigned\-source
Do not sign the source package (long option since dpkg 1.18.8).
.TP
+.BR \-ui ", " \-\-unsigned\-buildinfo
+Do not sign the \fB.buildinfo\fP file (since dpkg 1.18.19).
+.TP
.BR \-uc ", " \-\-unsigned\-changes
Do not sign the \fB.changes\fP file (long option since dpkg 1.18.8).
.TP
.BR \-\-force\-sign
Force the signing of the resulting files (since dpkg 1.17.0), regardless of
-\fB\-us\fP, \fB\-\-unsigned\-source\fP, \fB\-uc\fP, \fB\-\-unsigned\-changes\fP
+\fB\-us\fP, \fB\-\-unsigned\-source\fP,
+\fB\-ui\fP, \fB\-\-unsigned\-buildinfo\fP,
+\fB\-uc\fP, \fB\-\-unsigned\-changes\fP
or other internal heuristics.
.TP
.BR \-sn
diff --git a/scripts/dpkg-buildpackage.pl b/scripts/dpkg-buildpackage.pl
index 114899b..86b00c5 100755
--- a/scripts/dpkg-buildpackage.pl
+++ b/scripts/dpkg-buildpackage.pl
@@ -103,6 +103,7 @@ sub usage {
-k, --sign-key=<keyid> the key to use for signing.
-ap, --sign-pause add pause before starting signature process.
-us, --unsigned-source unsigned source package.
+ -ui, --unsigned-buildinfo unsigned .buildinfo file.
-uc, --unsigned-changes unsigned .changes file.
--force-sign force signing the resulting files.
--admindir=<directory> change the administrative directory.
@@ -157,6 +158,7 @@ my $signkey = $ENV{DEB_SIGN_KEYID};
my $signforce = 0;
my $signreleased = 1;
my $signsource = 1;
+my $signbuildinfo = 1;
my $signchanges = 1;
my $buildtarget = 'build';
my $binarytarget = 'binary';
@@ -253,6 +255,8 @@ while (@ARGV) {
$signforce = 1;
} elsif (/^-us$/ or /^--unsigned-source$/) {
$signsource = 0;
+ } elsif (/^-ui$/ or /^--unsigned-buildinfo$/) {
+ $signbuildinfo = 0;
} elsif (/^-uc$/ or /^--unsigned-changes$/) {
$signchanges = 0;
} elsif (/^-ap$/ or /^--sign-pausa$/) {
@@ -466,13 +470,17 @@ my $pva = "${pkg}_${sversion}_$arch";
if (not $signcommand) {
$signsource = 0;
+ $signbuildinfo = 0;
$signchanges = 0;
} elsif ($signforce) {
$signsource = 1;
+ $signbuildinfo = 1;
$signchanges = 1;
-} elsif (($signsource or $signchanges) and $distribution eq 'UNRELEASED') {
+} elsif (($signsource or $signbuildinfo or $signchanges) and
+ $distribution eq 'UNRELEASED') {
$signreleased = 0;
$signsource = 0;
+ $signbuildinfo = 0;
$signchanges = 0;
}
@@ -600,35 +608,44 @@ if ($check_command) {
withecho($check_command, @check_opts, $chg);
}
-if ($signpause && ($signchanges || $signsource)) {
+if ($signpause && ($signsource || $signbuildinfo || $signchanges)) {
print g_("Press <enter> to start the signing process.\n");
getc();
}
-run_hook('sign', $signsource || $signchanges);
+run_hook('sign', $signsource || $signbuildinfo || $signchanges);
if ($signsource) {
if (signfile("$pv.dsc")) {
- error(g_('failed to sign .dsc and .changes file'));
+ error(g_('failed to sign %s file'), '.dsc');
}
- # Recompute the checksums as the .dsc has changed now.
+ # Recompute the checksums as the .dsc have changed now.
+ my $buildinfo = Dpkg::Control->new(type => CTRL_FILE_BUILDINFO);
+ $buildinfo->load("../$pva.buildinfo");
+ my $checksums = Dpkg::Checksums->new();
+ $checksums->add_from_control($buildinfo);
+ $checksums->add_from_file("../$pv.dsc", update => 1, key => "$pv.dsc");
+ $checksums->export_to_control($buildinfo);
+ $buildinfo->save("../$pva.buildinfo");
+}
+if ($signbuildinfo && signfile("$pva.buildinfo")) {
+ error(g_('failed to sign %s file'), '.buildinfo');
+}
+if ($signsource or $signbuildinfo) {
+ # Recompute the checksums as the .dsc and/or .buildinfo have changed.
my $checksums = Dpkg::Checksums->new();
$checksums->add_from_control($changes);
$checksums->add_from_file("../$pv.dsc", update => 1, key => "$pv.dsc");
+ $checksums->add_from_file("../$pva.buildinfo", update => 1, key => "$pva.buildinfo");
$checksums->export_to_control($changes);
delete $changes->{'Checksums-Md5'};
-
- my $md5sum_regex = checksums_get_property('md5', 'regex');
- my $dsc_md5sum = $checksums->get_checksum("$pv.dsc", 'md5');
- my $dsc_size = $checksums->get_size("$pv.dsc");
- my $dsc_files_regex = qr/$md5sum_regex\s+\d+\s+(\S+\s+\S+\s+\Q$pv\E\.dsc)/;
- $changes->{'Files'} =~ s/^$dsc_files_regex$/$dsc_md5sum $dsc_size $1/m;
-
+ update_files_field($changes, $checksums, "$pv.dsc");
+ update_files_field($changes, $checksums, "$pva.buildinfo");
$changes->save($chg);
}
if ($signchanges && signfile("$pva.changes")) {
- error(g_('failed to sign .changes file'));
+ error(g_('failed to sign %s file'), '.changes');
}
if (not $signreleased) {
@@ -686,6 +703,17 @@ sub run_hook {
withecho($cmd);
}
+sub update_files_field {
+ my ($ctrl, $checksums, $filename) = @_;
+
+ my $md5sum_regex = checksums_get_property('md5', 'regex');
+ my $md5sum = $checksums->get_checksum($filename, 'md5');
+ my $size = $checksums->get_size($filename);
+ my $file_regex = qr/$md5sum_regex\s+\d+\s+(\S+\s+\S+\s+\Q$filename\E)/;
+
+ $ctrl->{'Files'} =~ s/^$file_regex$/$md5sum $size $1/m;
+}
+
sub signfile {
my $file = shift;
diff --git a/scripts/t/dpkg_buildpackage.t b/scripts/t/dpkg_buildpackage.t
index f2b71c2..5c3a540 100644
--- a/scripts/t/dpkg_buildpackage.t
+++ b/scripts/t/dpkg_buildpackage.t
@@ -186,6 +186,7 @@ sub test_build
chdir $dirname;
spawn(exec => [ "$srcdir/dpkg-buildpackage.pl", '--host-arch=amd64',
'--unsigned-source', '--unsigned-changes',
+ '--unsigned-buildinfo',
"--build=$typename", '--check-command=' ],
error_to_string => \$stderr,
wait_child => 1, nocheck => 1);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list