Bug#812860: /usr/bin/uscan: [uscan] failure to download and verify package.tar.xz with package.sign

Wed Jan 27 10:36:52 UTC 2016

Package: devscripts
Version: 2.15.10
Severity: normal
File: /usr/bin/uscan
Control: user adn+deb at diwi.org
Control: usertag -1 + uscan

Hello,

I started experimenting with uscan's pgp mechanism to verfiy the
signature of rt-tests. You can reproduce my tests using:

	debcheckout rt-tests
	cd rt-tests
	echo  > debian/watch 'version=4'
	echo >> debian/watch
	echo >> debian/watch 'opts="pgpsigurlmangle=s%.xz$%.sign%, decompress" \'
	echo >> debian/watch 'http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-(.*)\.tar\.xz'

now running

	uscan --debug

ends in

	uscan: Downloading OpenPGP signature from
	   http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign (pgpsigurlmangled)
	   as rt-tests-0.96.tar.xz.pgp
	uscan info: Requesting URL:
	   http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign
	uscan warn: FAIL Checking OpenPGP signature (no upstream tarball downloaded).
	uscan info: Scan finished

(Here I would have expected a more verbose output to explain the FAIL.)

My expectations is that uscan downloads rt-tests-0.96.tar.xz and
rt-tests-0.96.tar.sign, does something like:

	zcat rt-tests-0.96.tar.xz | gpg --verify rt-tests-0.96.tar.sign - 

with the right keyring added to the mix and then links it to
rt-tests_0.96.orig.tar.xz.

When doing:

	cd ..
	wget http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.xz
	cd rt-tests

and starting uscan again I get:

	uscan: uscan (version 2.15.10) See uscan(1) for help
	uscan: Scan watch files in .
	uscan: ./debian/changelog sets package="rt-tests" version="0.96"
	uscan: Newest version on remote site is 0.96, local version is 0.96
	uscan:    => Package is up to date
	uscan: Don't download and use the existing file: rt-tests-0.96.tar.xz
	uscan: Downloading OpenPGP signature from
	   http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign (pgpsigurlmangled)
	   as rt-tests-0.96.tar.pgp
	gpgv: Signature made Thu 22 Oct 2015 12:41:14 PM CEST using RSA key ID 639D2D16
	gpgv: Good signature from "John Kacur <jkacur at gmail.com>"
	gpgv:                 aka "John Kacur <jkacur at redhat.com>"
	uscan: Successfully downloaded package rt-tests-0.96.tar.xz
	Could not read ../rt-tests-0.96.tar.xz: No such file or directory at /usr/bin/mk-origtargz line 361.
	uscan: error: mk-origtargz --package rt-tests --version 0.96 --compression gzip --directory .. --copyright-file debian/copyright ../rt-tests-0.96.tar.xz gave error exit status 2

where the problem seems to be that uscan decompresses the archive but in
the same go removes the tar.xz for mk-origtargz.

Without decompress in the options the signature verification obviously
fails.

Is this just me using uscan in a wrong way, or is there something fishy
with uscan? In the first case an example would be great.

Best regards
Uwe

-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
BTS_CACHE=no
DEBCHANGE_RELEASE_HEURISTIC=changelog
DEBSIGN_KEYID=32669bd6

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (800, 'testing'), (600, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages devscripts depends on:
ii  dpkg-dev     1.18.4
ii  libc6        2.21-6
ii  perl         5.22.1-4
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  apt                         1.2
ii  at                          3.1.18-2
ii  curl                        7.46.0-1
ii  dctrl-tools                 2.24-1
ii  debian-keyring              2016.01.20
ii  dput-ng [dput]              1.10
ii  equivs                      2.0.9+nmu1
ii  fakeroot                    1.20.2-1
ii  file                        1:5.25-2
ii  gnupg                       1.4.20-1
ii  gnupg2                      2.0.28-3
ii  libdistro-info-perl         0.14
ii  libencode-locale-perl       1.05-1
ii  libjson-perl                2.90-1
ii  liblwp-protocol-https-perl  6.06-2
ii  libsoap-lite-perl           1.19-1
ii  liburi-perl                 1.71-1
ii  libwww-perl                 6.15-1
ii  lintian                     2.5.39.1
ii  man-db                      2.7.5-1
ii  patch                       2.7.5-1
ii  patchutils                  0.3.4-1
ii  python3-debian              0.1.27
ii  python3-magic               1:5.25-2
ii  sensible-utils              0.0.9
ii  strace                      4.10-3
ii  unzip                       6.0-20
ii  wdiff                       1.2.2-1+b1
ii  wget                        1.17.1-1
ii  xz-utils                    5.1.1alpha+20120614-2.1

Versions of packages devscripts suggests:
ii  build-essential              11.7
pn  cvs-buildpackage             <none>
pn  debbindiff                   <none>
pn  devscripts-el                <none>
pn  gnuplot                      <none>
ii  gpgv                         1.4.20-1
ii  libauthen-sasl-perl          2.1600-1
ii  libfile-desktopentry-perl    0.22-1
ii  libnet-smtp-ssl-perl         1.03-1
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-2
pn  libyaml-syck-perl            <none>
pn  mozilla-devscripts           <none>
ii  mutt                         1.5.24-1
ii  openssh-client [ssh-client]  1:7.1p2-2
ii  s-nail [mailx]               14.8.6-1
pn  svn-buildpackage             <none>
pn  w3m                          <none>

-- no debconf information