[dpkg] 140/200: dpkg-buildpackage: Add support for signed .buildinfo files

Ximin Luo infinity0 at debian.org
Wed Apr 5 15:17:29 UTC 2017


This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository dpkg.

commit a82a935a837a7d4c55a5dbb7281dbce87f0eeeb6
Author: Guillem Jover <guillem at debian.org>
Date:   Thu Jan 26 13:52:32 2017 +0100

    dpkg-buildpackage: Add support for signed .buildinfo files
    
    Add new options -ui and --unsigned-buildinfo.
    
    Closes: #843925
---
 debian/changelog              |  2 ++
 man/dpkg-buildpackage.man     | 18 ++++++++++-----
 scripts/dpkg-buildpackage.pl  | 54 ++++++++++++++++++++++++++++++++-----------
 scripts/t/dpkg_buildpackage.t |  1 +
 4 files changed, 56 insertions(+), 19 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index cd673af..a605d7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -38,6 +38,8 @@ dpkg (1.18.19) UNRELEASED; urgency=medium
   * Fix parsing of Pre-Depends and Depends in dpkg-genbuildinfo, so that
     the code parses both and not just the first to appear in the stanza.
     Based on a patch by Johannes Schauer <josch at debian.org>.
+  * Add support for signed .buildinfo files to dpkg-buildpackage. Add new
+    -ui and --unsigned-buildinfo options. Closes: #843925
   * Portability:
     - On GNU/Hurd try to use the new process executable name attribute from
       libps, to properly match on start-stop-daemon --exec.
diff --git a/man/dpkg-buildpackage.man b/man/dpkg-buildpackage.man
index 22c8803..45355bb 100644
--- a/man/dpkg-buildpackage.man
+++ b/man/dpkg-buildpackage.man
@@ -90,11 +90,12 @@ It runs the \fBcheck\fP hook and calls a package checker for the
 \fB.changes\fP file (if a command is specified in \fBDEB_CHECK_COMMAND\fP or
 with \fB\-\-check\-command\fP).
 .IP \fB11.\fP 3
-It runs the \fBsign\fP hook and calls \fBgpg2\fP or \fBgpg\fP to sign
-the \fB.dsc\fP file (if any, unless \fB\-us\fP or \fB\-\-unsigned\-source\fP
-is specified or on UNRELEASED builds), and the \fB.changes\fP file
-(unless \fB\-uc\fP or \fB\-\-unsigned\-changes\fP is specified or on
-UNRELEASED builds).
+It runs the \fBsign\fP hook and calls \fBgpg2\fP or \fBgpg\fP (as long as it
+is not an UNRELEASED build) to sign the \fB.dsc\fP file (if any, unless
+\fB\-us\fP or \fB\-\-unsigned\-source\fP is specified), the \fB.buildinfo\fP
+file (unless \fB\-ui\fP or \fB\-\-unsigned\-buildinfo\fP is specified) and
+the \fB.changes\fP file (unless \fB\-uc\fP or \fB\-\-unsigned\-changes\fP
+is specified).
 .IP \fB12.\fP 3
 It runs the \fBdone\fP hook.
 .
@@ -396,12 +397,17 @@ Specify a key-ID to use when signing packages (long option since dpkg 1.18.8).
 .BR \-us ", " \-\-unsigned\-source
 Do not sign the source package (long option since dpkg 1.18.8).
 .TP
+.BR \-ui ", " \-\-unsigned\-buildinfo
+Do not sign the \fB.buildinfo\fP file (since dpkg 1.18.19).
+.TP
 .BR \-uc ", " \-\-unsigned\-changes
 Do not sign the \fB.changes\fP file (long option since dpkg 1.18.8).
 .TP
 .BR \-\-force\-sign
 Force the signing of the resulting files (since dpkg 1.17.0), regardless of
-\fB\-us\fP, \fB\-\-unsigned\-source\fP, \fB\-uc\fP, \fB\-\-unsigned\-changes\fP
+\fB\-us\fP, \fB\-\-unsigned\-source\fP,
+\fB\-ui\fP, \fB\-\-unsigned\-buildinfo\fP,
+\fB\-uc\fP, \fB\-\-unsigned\-changes\fP
 or other internal heuristics.
 .TP
 .BR \-sn
diff --git a/scripts/dpkg-buildpackage.pl b/scripts/dpkg-buildpackage.pl
index 114899b..86b00c5 100755
--- a/scripts/dpkg-buildpackage.pl
+++ b/scripts/dpkg-buildpackage.pl
@@ -103,6 +103,7 @@ sub usage {
   -k, --sign-key=<keyid>      the key to use for signing.
   -ap, --sign-pause           add pause before starting signature process.
   -us, --unsigned-source      unsigned source package.
+  -ui, --unsigned-buildinfo   unsigned .buildinfo file.
   -uc, --unsigned-changes     unsigned .changes file.
       --force-sign            force signing the resulting files.
       --admindir=<directory>  change the administrative directory.
@@ -157,6 +158,7 @@ my $signkey = $ENV{DEB_SIGN_KEYID};
 my $signforce = 0;
 my $signreleased = 1;
 my $signsource = 1;
+my $signbuildinfo = 1;
 my $signchanges = 1;
 my $buildtarget = 'build';
 my $binarytarget = 'binary';
@@ -253,6 +255,8 @@ while (@ARGV) {
 	$signforce = 1;
     } elsif (/^-us$/ or /^--unsigned-source$/) {
 	$signsource = 0;
+    } elsif (/^-ui$/ or /^--unsigned-buildinfo$/) {
+	$signbuildinfo = 0;
     } elsif (/^-uc$/ or /^--unsigned-changes$/) {
 	$signchanges = 0;
     } elsif (/^-ap$/ or /^--sign-pausa$/) {
@@ -466,13 +470,17 @@ my $pva = "${pkg}_${sversion}_$arch";
 
 if (not $signcommand) {
     $signsource = 0;
+    $signbuildinfo = 0;
     $signchanges = 0;
 } elsif ($signforce) {
     $signsource = 1;
+    $signbuildinfo = 1;
     $signchanges = 1;
-} elsif (($signsource or $signchanges) and $distribution eq 'UNRELEASED') {
+} elsif (($signsource or $signbuildinfo or $signchanges) and
+         $distribution eq 'UNRELEASED') {
     $signreleased = 0;
     $signsource = 0;
+    $signbuildinfo = 0;
     $signchanges = 0;
 }
 
@@ -600,35 +608,44 @@ if ($check_command) {
     withecho($check_command, @check_opts, $chg);
 }
 
-if ($signpause && ($signchanges || $signsource)) {
+if ($signpause && ($signsource || $signbuildinfo || $signchanges)) {
     print g_("Press <enter> to start the signing process.\n");
     getc();
 }
 
-run_hook('sign', $signsource || $signchanges);
+run_hook('sign', $signsource || $signbuildinfo || $signchanges);
 
 if ($signsource) {
     if (signfile("$pv.dsc")) {
-        error(g_('failed to sign .dsc and .changes file'));
+        error(g_('failed to sign %s file'), '.dsc');
     }
 
-    # Recompute the checksums as the .dsc has changed now.
+    # Recompute the checksums as the .dsc have changed now.
+    my $buildinfo = Dpkg::Control->new(type => CTRL_FILE_BUILDINFO);
+    $buildinfo->load("../$pva.buildinfo");
+    my $checksums = Dpkg::Checksums->new();
+    $checksums->add_from_control($buildinfo);
+    $checksums->add_from_file("../$pv.dsc", update => 1, key => "$pv.dsc");
+    $checksums->export_to_control($buildinfo);
+    $buildinfo->save("../$pva.buildinfo");
+}
+if ($signbuildinfo && signfile("$pva.buildinfo")) {
+    error(g_('failed to sign %s file'), '.buildinfo');
+}
+if ($signsource or $signbuildinfo) {
+    # Recompute the checksums as the .dsc and/or .buildinfo have changed.
     my $checksums = Dpkg::Checksums->new();
     $checksums->add_from_control($changes);
     $checksums->add_from_file("../$pv.dsc", update => 1, key => "$pv.dsc");
+    $checksums->add_from_file("../$pva.buildinfo", update => 1, key => "$pva.buildinfo");
     $checksums->export_to_control($changes);
     delete $changes->{'Checksums-Md5'};
-
-    my $md5sum_regex = checksums_get_property('md5', 'regex');
-    my $dsc_md5sum = $checksums->get_checksum("$pv.dsc", 'md5');
-    my $dsc_size = $checksums->get_size("$pv.dsc");
-    my $dsc_files_regex = qr/$md5sum_regex\s+\d+\s+(\S+\s+\S+\s+\Q$pv\E\.dsc)/;
-    $changes->{'Files'} =~ s/^$dsc_files_regex$/$dsc_md5sum $dsc_size $1/m;
-
+    update_files_field($changes, $checksums, "$pv.dsc");
+    update_files_field($changes, $checksums, "$pva.buildinfo");
     $changes->save($chg);
 }
 if ($signchanges && signfile("$pva.changes")) {
-    error(g_('failed to sign .changes file'));
+    error(g_('failed to sign %s file'), '.changes');
 }
 
 if (not $signreleased) {
@@ -686,6 +703,17 @@ sub run_hook {
     withecho($cmd);
 }
 
+sub update_files_field {
+    my ($ctrl, $checksums, $filename) = @_;
+
+    my $md5sum_regex = checksums_get_property('md5', 'regex');
+    my $md5sum = $checksums->get_checksum($filename, 'md5');
+    my $size = $checksums->get_size($filename);
+    my $file_regex = qr/$md5sum_regex\s+\d+\s+(\S+\s+\S+\s+\Q$filename\E)/;
+
+    $ctrl->{'Files'} =~ s/^$file_regex$/$md5sum $size $1/m;
+}
+
 sub signfile {
     my $file = shift;
 
diff --git a/scripts/t/dpkg_buildpackage.t b/scripts/t/dpkg_buildpackage.t
index f2b71c2..5c3a540 100644
--- a/scripts/t/dpkg_buildpackage.t
+++ b/scripts/t/dpkg_buildpackage.t
@@ -186,6 +186,7 @@ sub test_build
     chdir $dirname;
     spawn(exec => [ "$srcdir/dpkg-buildpackage.pl", '--host-arch=amd64',
                     '--unsigned-source', '--unsigned-changes',
+                    '--unsigned-buildinfo',
                     "--build=$typename", '--check-command=' ],
           error_to_string => \$stderr,
           wait_child => 1, nocheck => 1);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git



More information about the Reproducible-commits mailing list