[dput-ng-maint] Bug#880462: [PATCH] gpg: run debsign on unsigned changes files

Michael Stapelberg stapelberg at debian.org
Tue Oct 31 20:27:21 UTC 2017 

Package: dput-ng
Version: 1.15
Severity: wishlist
Tags: patch

Instead of complaining about a missing signature, let’s pro-actively create one,
just like dpkg-buildpackage.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, mipsel, arm64

Kernel: Linux 4.13.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dput-ng depends on:
ii  python       2.7.13-2
ii  python-dput  1.15

Versions of packages dput-ng recommends:
ii  bash-completion  1:2.1-4.3
ii  python-paramiko  2.0.0-1

dput-ng suggests no packages.

-- no debconf information
-------------- next part --------------
>From 711c5416497218acf43bd43ea4b8d45b998eb5f2 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg at debian.org>
Date: Tue, 31 Oct 2017 21:19:33 +0100
Subject: [PATCH 2/2] gpg: run debsign on unsigned changes files

---
 dput/changes.py    | 10 +++++-----
 dput/exceptions.py |  5 ++++-
 dput/hooks/gpg.py  | 53 +++++++++++++++++++++++++++++++++--------------------
 3 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/dput/changes.py b/dput/changes.py
index a79315d..e2b1491 100644
--- a/dput/changes.py
+++ b/dput/changes.py
@@ -256,7 +256,6 @@ class Changes(object):
         # contains verbose human readable GPG information
         if self.is_python3:
             gpg_output_stderr = str(gpg_output_stderr, encoding='utf8')
-        print(gpg_output_stderr)
 
         if self.is_python3:
             gpg_output = gpg_output.decode(encoding='UTF-8')
@@ -264,14 +263,15 @@ class Changes(object):
         if gpg_output.count('[GNUPG:] GOODSIG'):
             pass
         elif gpg_output.count('[GNUPG:] BADSIG'):
-            raise ChangesFileException("Bad signature")
+            raise ChangesFileException("Bad signature", gpg_output_stderr)
         elif gpg_output.count('[GNUPG:] ERRSIG'):
-            raise ChangesFileException("Error verifying signature")
+            raise ChangesFileException("Error verifying signature",
+                                       gpg_output_stderr)
         elif gpg_output.count('[GNUPG:] NODATA'):
-            raise ChangesFileException("No signature on")
+            raise ChangesFileException("No signature on", gpg_output_stderr)
         else:
             raise ChangesFileException(
-                "Unknown problem while verifying signature"
+                "Unknown problem while verifying signature", gpg_output_stderr
             )
 
         key = None
diff --git a/dput/exceptions.py b/dput/exceptions.py
index 1817b7a..44d7651 100644
--- a/dput/exceptions.py
+++ b/dput/exceptions.py
@@ -64,7 +64,10 @@ class ChangesFileException(DputError):
     Thrown when there's an error processing / verifying a .changes file
     (most often via the :class:`dput.changes.Changes` object)
     """
-    pass
+
+    def __init__(self, message, gpg_stderr=None):
+        super(ChangesFileException, self).__init__(message)
+        self.gpg_stderr = gpg_stderr
 
 
 class DscFileException(DputError):
diff --git a/dput/hooks/gpg.py b/dput/hooks/gpg.py
index 71fddc5..7e277f6 100644
--- a/dput/hooks/gpg.py
+++ b/dput/hooks/gpg.py
@@ -18,6 +18,10 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 # 02110-1301, USA.
 
+import os
+import subprocess
+
+import dput.changes
 from dput.core import logger
 from dput.exceptions import (ChangesFileException, HookException)
 
@@ -65,25 +69,34 @@ def check_gpg_signature(changes, profile, interface):
 
     try:
         key = changes.validate_signature()
-        if 'allowed_keys' in gpg:
-            allowed_keys = gpg['allowed_keys']
-
-            found = False
-            for k in allowed_keys:
-                if k == key[-len(k):]:
-                    logger.info("Key %s is trusted to upload to this host." % (
-                        k
-                    ))
-                    found = True
-
-            if not found:
-                raise GPGCheckerError("Key %s is not in %s" % (
-                    key,
-                    allowed_keys
+    except ChangesFileException as e:
+        # Sign unsigned files using debsign:
+        changes_file = changes.get_changes_file()
+        if subprocess.call(['debsign', changes_file]) == 0:
+            changes = dput.changes.parse_changes_file(
+                changes_file,
+                os.path.dirname(changes_file)
+            )
+        try:
+            key = changes.validate_signature()
+        except ChangesFileException as e:
+            if e.gpg_stderr:
+                print e.gpg_stderr
+            raise e
+
+    if 'allowed_keys' in gpg:
+        allowed_keys = gpg['allowed_keys']
+
+        found = False
+        for k in allowed_keys:
+            if k == key[-len(k):]:
+                logger.info("Key %s is trusted to upload to this host." % (
+                    k
                 ))
+                found = True
 
-    except ChangesFileException as e:
-        raise GPGCheckerError(
-            "No valid signature on %s: %s" % (changes.get_filename(),
-                                              e)
-        )
+        if not found:
+            raise GPGCheckerError("Key %s is not in %s" % (
+                key,
+                allowed_keys
+            ))
-- 
2.14.2

More information about the dput-ng-maint mailing list