Bug#888046: devscripts: Support signatures against uncompressed tarballs

Osamu Aoki osamu at debian.org
Wed Jan 24 14:44:50 UTC 2018 

Hi,

I know I wrote code to check signature after decompression.

On Tue, Jan 23, 2018 at 10:46:55AM -0800, Vagrant Cascadian wrote:
> On 2018-01-23, Osamu Aoki wrote:
> > I am in a good mood to do my user support duty :-)  So let me show.
...
> > The obvious way is to read the manpage of uscan. ... many ways but
> > something along
> 
> I've read the uscan manpage quite a number of times, but even after
> using uscan for well over a decade and reading the manpage many times
> over the years, nothing really comes across as obvious. So there's a
> difference between reading the fine manual and comprehending
> it.

Please note manpage had major rewrite for the recent upload.  Old one
certainly don't have such.  Also signature checking are fairly new
feature.
 
> Fortunately, It's one of those things I get working once for a package
> and infrequently need to update it, so that's good.

Same here.  I got sick of reading very difficult manpage.  So I rewote
it.
 
> And yet...
> 
> > version=4
> > opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
> > https://www.kernel.org/pub/software/utils/dtc/ \
> >   @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \
> >   debian uupdate
> 
> Thanks for the suggestion...

Of course, I don't remember everything I did to uscan.  So if fails,
RTFM I wrote when I remember how I implemented :-).

> with debian/watch:
> 
>   version=4
>   opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
>   https://www.kernel.org/pub/software/utils/dtc/ \
>     dtc- at ANY_VERSION@@ARCHIVE_EXT@ \
>     debian uupdate
> 
> Using @PACKAGE@ didn't work because of upstream is named differently
> (device-tree-compiler vs. dtc).
> 
> But even with that fixed/worked around:
> 
>   uscan: Newest version of device-tree-compiler on remote site is 1.4.6,
>   local version is 1.4.5
>   uscan:    => Newer package available from
>         https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
>   gpgv: Signature made Tue Jan  2 22:12:20 2018 PST
>   gpgv:                using RSA key
>   75F46586AE61A66CC44E87DC6C38CACA20D9B392
>   gpgv: BAD signature from "David Gibson <david at gibson.dropbear.id.au>"
>   uscan die: OpenPGP signature did not verify.

 can see there is another option described in manpage:

decompress
    Decompress compressed archive before the pgp/gpg signature
    verification.

So correct answer is:

version=4
opts="pgpmode=mangle, \
pgpsigurlmangle=s%tar\..z$%tar\.sign%,
decompress" \
https://www.kernel.org/pub/software/utils/dtc/ \
     dtc- at ANY_VERSION@@ARCHIVE_EXT@ \
     debian uupdate

Please also take care keyring by reading KEYRING FILE EXAMPLES.

Regards,

Osamu

More information about the devscripts-devel mailing list