[devscripts] 02/04: uscan: Move keyring location for signature verification under debian/upstream/

James McCoy jamessan at debian.org
Tue Jan 21 05:00:39 UTC 2014 

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit 120b9f2efe59c7e20da143a989aa3f3a316274fd
Author: James McCoy <jamessan at debian.org>
Date:   Mon Jan 20 22:39:08 2014 -0500

    uscan: Move keyring location for signature verification under debian/upstream/
    
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/NEWS      | 8 ++++++++
 debian/changelog | 3 ++-
 scripts/uscan.1  | 2 +-
 scripts/uscan.pl | 9 ++++++---
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/debian/NEWS b/debian/NEWS
index d70c594..7191484 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,11 @@
+devscripts (2.14.0) unstable; urgency=low
+
+  uscan now looks for upstream's keyring as debian/upstream/signing-key.pgp.
+  The previously used location, debian/upstream-signing-key.pgp, will be
+  checked as a last resort for a transition period.
+
+ -- James McCoy <jamessan at debian.org>  Mon, 20 Jan 2014 22:21:16 -0500
+
 devscripts (2.11.9) unstable; urgency=low
 
   The default for mk-build-deps --tool option/MKBUILDDEPS_TOOL configuration
diff --git a/debian/changelog b/debian/changelog
index 4746081..5ee98a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-devscripts (2.14.1) UNRELEASED; urgency=low
+devscripts (2.14.0) UNRELEASED; urgency=low
 
   [ Jakub Wilk ]
   * Add sadt, a simple implementation of DEP-8 test runner (closes: #712095).
@@ -19,6 +19,7 @@ devscripts (2.14.1) UNRELEASED; urgency=low
       (Closes: #728182)
     + Support escaped characters in the Files-Excluded patterns.  Thanks to
       Csillag Tamas and Russ Albery for the patch.  (Closes: #733111)
+    + Move keyring location for signature verification under debian/upstream/.
 
  -- Jakub Wilk <jwilk at debian.org>  Fri, 27 Dec 2013 18:39:11 +0100
 
diff --git a/scripts/uscan.1 b/scripts/uscan.1
index d0ce0f9..dac5928 100644
--- a/scripts/uscan.1
+++ b/scripts/uscan.1
@@ -292,7 +292,7 @@ If present, the supplied rules will be applied to the downloaded URL
 that will be used to fetch the detached OpenPGP signature file for the
 upstream tarball.  Some common rules might be `\fBs/$/.asc/\fR' or
 `\fBs/$/.pgp/\fR' or `\fBs/$/.gpg/\fR'.  This signature must be made
-by a key found in the keyring \fBdebian/upstream-signing-key.pgp\fR.
+by a key found in the keyring \fBdebian/upstream/signing-key.pgp\fR.
 If it is not valid, or not made by one of the listed keys, uscan will
 report an error.
 .SH "Directory name checking"
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 787f69e..70a735d 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -30,6 +30,7 @@ use Dpkg::IPC;
 use File::Basename;
 use File::Copy;
 use File::Temp qw/tempfile tempdir/;
+use List::Util qw/first/;
 use filetest 'access';
 use Getopt::Long qw(:config gnu_getopt);
 use lib '/usr/share/devscripts';
@@ -702,6 +703,7 @@ sub process_watchline ($$$$$$)
     my $style='new';
     my $urlbase;
     my $headers = HTTP::Headers->new;
+    my $keyring;
 
     # Comma-separated list of features that sites being queried might
     # want to be aware of
@@ -813,8 +815,9 @@ sub process_watchline ($$$$$$)
 
 	# Check validity of options
 	if (exists $options{'pgpsigurlmangle'}) {
-	    if (not (-r 'debian/upstream-signing-key.pgp')) {
-		uscan_warn "$progname warning: pgpsigurlmangle option exists, but debian/upstream-signing-key.pgp does not exist\n  in $watchfile, skipping:\n  $line\n";
+	    $keyring = first { -r $_ } qw(debian/upstream/signing-key.pgp debian/upstream-signing-key.pgp);
+	    if (!defined $keyring) {
+		uscan_warn "$progname warning: pgpsigurlmangle option exists, but the upstream keyring does not exist\n  in $watchfile, skipping:\n  $line\n";
 		return 1;
 	    } elsif (! $havegpgv) {
 		uscan_warn "$progname warning: pgpsigurlmangle option exists, but you must have gpgv installed to verify\n  in $watchfile, skipping:\n  $line\n";
@@ -1407,7 +1410,7 @@ EOF
 
 	print "-- Verifying OpenPGP signature $newfile_base.pgp for $newfile_base\n" if $verbose;
 	system('/usr/bin/gpgv', '--homedir', '/dev/null',
-	       '--keyring', 'debian/upstream-signing-key.pgp',
+	       '--keyring', $keyring,
 	       "$destdir/$newfile_base.pgp", "$destdir/$newfile_base") >> 8 == 0
 		 or uscan_die("$progname warning: OpenPGP signature did not verify.\n");
     }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list