[Pkg-gnupg-maint] Bug#711744: Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz
Thijs Kinkhorst
thijs at debian.org
Fri Dec 13 08:33:44 UTC 2013
On Thu, December 12, 2013 21:35, Franz Schrober wrote:
>>
>> Thanks, However, this doesn't work for me. If I put random data in the
>> .pgp file it will download the orig.tar.gz blindly. Is this expected?
>> (I'm
>> using sid.)
>
> What *.pgp? The watch file was configured to scan for *sig files. And yes,
> the debian/upstream-signing-key.pgp has to be a valid keyring (which the
> debian package maintainer provides) and is the one which is used to check
> against. I don't think the author intended that it can be invalid but it
> should still download it and tell you that it is an invalid packet and
> warn you about it.
Well, the idea of making it invalid was to see if the download would
actually fail on that.
> I've Cc'ed the author of this feature to discuss it with you. But I just
> checked it with following scenario:
>
> 1. write a correct watchfile + debian/upstream-signing-key.pgp
> 2. test it (should download both signature and file)
> 3. change the debian/watch to a wrong ending
> 4. delete previous downloaded files
> 5. use uscan again
> 6. look weird around because the file still exists even when the signature
> could not be checked because of this 404. It also doesn't generate a
> failure returncode
Thanks.
In any case, given the seemingly endless supply of security bugs being
discovered in uscan I'm going to hold off on this for a while now.
cheers,
Thijs
More information about the Pkg-gnupg-maint
mailing list