Bug#862059: sbuild: please sign buildinfo files
stevenc at debian.org
Sun May 7 22:20:14 UTC 2017
User: reproducible-builds at lists.alioth.debian.org
dpkg-buildpackage typically generates a .changes and .buildinfo file,
and signs both (since at least dpkg 1.18.19).
But when using sbuild, dpkg-buildpackage inside of the build chroot does
not do the signing, but rather sbuild signs the .changes file afterward.
Please could that code be updated to also sign the .buildinfo (if one
I have not tested the attached patch (yet?) but it explains the issue at
least. Here is typical output where only the .changes file gets signed:
> Finished at 20170314-2338
> Build needed 00:00:43, 5660k disc space
> Signature with key 'F2F4A5FC' requested:
> signfile /home/buildd/build/hello_2.10-1+b1_amd64.changes F2F4A5FC
> Successfully signed changes file
The relevance/importance of this is that official Debian package builds
produce .buildinfo files now, and dak archives them, but they are not
being signed yet.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)
Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1570 bytes
Desc: not available
More information about the Reproducible-builds