Bug#812860: /usr/bin/uscan: [uscan] failure to download and verify package.tar.xz with package.sign
James McCoy
jamessan at debian.org
Thu Jan 28 03:26:49 UTC 2016
Thanks for the report. There are a few things going on here.
On Wed, Jan 27, 2016 at 11:36:52AM +0100, Uwe Kleine-König wrote:
> now running
>
> uscan --debug
>
> ends in
You omitted these important lines:
uscan: Newest version on remote site is 0.96, local version is 0.96
uscan: => Package is up to date
uscan: Don't downloading upstream package: rt-tests-0.96.tar.xz
By default, uscan only downloads the upstream archive if it is *newer*
than your source package. You need to use --force-download to download
even when the newest remote version matches the current version.
> uscan: Downloading OpenPGP signature from
> http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign (pgpsigurlmangled)
> as rt-tests-0.96.tar.xz.pgp
> uscan info: Requesting URL:
> http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.sign
> uscan warn: FAIL Checking OpenPGP signature (no upstream tarball downloaded).
> uscan info: Scan finished
>
> (Here I would have expected a more verbose output to explain the FAIL.)
However, we still downloaded the signature ... I think this might be
related to the request to be able to re-verify an existing archive,
which is the behavior you end up using later on.
> My expectations is that uscan downloads rt-tests-0.96.tar.xz and
> rt-tests-0.96.tar.sign, does something like:
>
> zcat rt-tests-0.96.tar.xz | gpg --verify rt-tests-0.96.tar.sign -
>
> with the right keyring added to the mix and then links it to
> rt-tests_0.96.orig.tar.xz.
That's the behavior I'd expect as well. The current behavior
decompresses the archive on disk and then passes that to gpg.
> When doing:
>
> cd ..
> wget http://www.kernel.org/pub/linux/utils/rt-tests/rt-tests-0.96.tar.xz
> cd rt-tests
>
> and starting uscan again I get:
>
> [snip]
> uscan: Successfully downloaded package rt-tests-0.96.tar.xz
> Could not read ../rt-tests-0.96.tar.xz: No such file or directory at /usr/bin/mk-origtargz line 361.
> uscan: error: mk-origtargz --package rt-tests --version 0.96 --compression gzip --directory .. --copyright-file debian/copyright ../rt-tests-0.96.tar.xz gave error exit status 2
>
> where the problem seems to be that uscan decompresses the archive but in
> the same go removes the tar.xz for mk-origtargz.
Actually, it keeps the tar.xz when it should be passing the filename as
rt-tests-0.96.tar, if the current verification behavior isn't changed.
> Is this just me using uscan in a wrong way, or is there something fishy
> with uscan? In the first case an example would be great.
There are some issues to work out from the major rework of uscan, but
hopefully some of the above helps.
Cheers,
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan at debian.org>
More information about the devscripts-devel
mailing list