[tryton-debian] Bug#747433: devscripts: [uscan] gpg verification failing due to renaming of signature file
Mathias Behrle
mathiasb at m9s.biz
Thu May 8 16:10:42 UTC 2014
Package: devscripts
Version: 2.14.1
Severity: important
Dear Maintainer,
Running uscan for Tryton packages [1] currently fails for
recently signed packages.
tryton-client:
-- Scanning for watchfiles in .
-- Found watchfile in ./debian
-- In debian/watch, processing watchfile line:
opts=pgpsigurlmangle=s/$/.asc/
http://downloads.tryton.org/current/
.*tryton-(\d.*)\.(?:tgz|tbz2|txz|tar\.(?:gz|bz2|xz))
-- Found the following matching hrefs:
tryton-3.2.0.tar.gz (3.2.0)
tryton-3.2.0.tar.gz (3.2.0)
tryton-3.2.1.tar.gz (3.2.1)
tryton-3.2.1.tar.gz (3.2.1)
Newest version on remote site is 3.2.1, local
version is 3.2.0
=> Newer version available from
http://downloads.tryton.org/current/tryton-3.2.1.tar.gz
-- Downloading updated package
tryton-3.2.1.tar.gz
-- Downloading OpenPGP signature for
package as tryton-3.2.1.tar.gz.pgp
-- Verifying OpenPGP signature
tryton-3.2.1.tar.gz.pgp for
tryton-3.2.1.tar.gz
gpgv: Unterschrift vom Mi 07 Mai 2014
20:59:29 CEST mittels DSA-Schlüssel ID
15B3323F
gpgv: Unterschrift kann nicht geprüft
werden: Öffentlicher Schlüssel nicht
gefunden
uscan warning: OpenPGP signature did not
verify.
Running the verification from the command line reveals, that it
succeeds with the original file (.asc), but not with the renamed file (.pgp):
(x86_64)mathiasb at obelix:~/bin/tryton/projects/debian_builder$ gpg
--verify tryton-3.2.1.tar.gz.pgp
gpg: keine unterschriebene Daten
gpg: can't hash datafile: Fehler beim Öffnen der Datei
(x86_64)mathiasb at obelix:~/bin/tryton/projects/debian_builder$ gpg
--verify tryton-3.2.1.tar.gz.asc
gpg: Unterschrift vom Mi 07 Mai 2014 20:59:29 CEST mittels
DSA-Schlüssel ID 15B3323F
gpg: Korrekte Unterschrift von "Cédric Krier <cedk at gentoo.org>"
gpg: alias "Cédric Krier <ced at ced.homedns.org>"
gpg: alias "Cédric Krier <cedric.krier at b2ck.com>"
gpg: alias "Cédric Krier
<krier.cedric at gmail.com>"
gpg: alias "Cédric Krier <ced at b2ck.com>"
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige
Signatur!
gpg: Es gibt keinen Hinweis, daß die Signatur wirklich dem
vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck = 7097 C031 5CCB 53D2 3317 4D68 3CAD 3FD4 4995
5603
Unter-Fingerabdruck = A2A8 3D39 F7B1 E5B8 1BE3 4254 99DE 4FB5 15B3
323F
Is there a special reason, why signature are renamed instead of using
the original ones?
Cheers,
Mathias
[1]
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?a=project_list&s=tryton%2F&btnS=Search
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
DEBSIGN_MAINT='Mathias Behrle <mathiasb at m9s.biz>'
DEBSIGN_KEYID=8405BBF6
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-i -ICVS -I.svn -I.hg -I.git"
DEBUILD_LINTIAN=yes
DEBUILD_LINTIAN_OPTS="-i -I --show-overrides"
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable'), (400, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages devscripts depends on:
ii dpkg-dev 1.17.9
ii libc6 2.18-5
ii perl 5.18.2-2+b1
ii python3 3.3.4-1
pn python3:any <none>
Versions of packages devscripts recommends:
ii at 3.1.14-1
ii curl 7.36.0-2
ii dctrl-tools 2.23
ii debian-keyring 2014.04.25
ii dput 0.9.6.4
ii equivs 2.0.9
ii fakeroot 1.18.4-2
ii gnupg 1.4.16-1.1
ii libdistro-info-perl 0.12
ii libencode-locale-perl 1.03-1
ii libjson-perl 2.61-1
ii liblwp-protocol-https-perl 6.04-2
pn libparse-debcontrol-perl <none>
pn libsoap-lite-perl <none>
ii liburi-perl 1.60-1
ii libwww-perl 6.06-1
ii lintian 2.5.22.1
ii man-db 2.6.7.1-1
ii patch 2.7.1-5
ii patchutils 0.3.3-1
pn python3-debian <none>
pn python3-magic <none>
ii sensible-utils 0.0.9
ii strace 4.5.20-2.3
ii unzip 6.0-12
ii wdiff 1.2.1-3
ii wget 1.15-1
ii xz-utils 5.1.1alpha+20120614-2
Versions of packages devscripts suggests:
ii bsd-mailx [mailx] 8.1.2-0.20131005cvs-1
ii build-essential 11.6
pn cvs-buildpackage <none>
pn devscripts-el <none>
ii gnuplot 4.6.5-1
ii gpgv 1.4.16-1.1
pn libauthen-sasl-perl <none>
pn libfile-desktopentry-perl <none>
ii libnet-smtp-ssl-perl 1.01-3
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
ii mailx 1:20081101-2
ii mutt 1.5.23-1
ii openssh-client [ssh-client] 1:6.6p1-4
pn svn-buildpackage <none>
ii w3m 0.5.3-15
-- no debconf information
More information about the tryton-debian
mailing list