[tryton-debian] Bug#747433: devscripts: [uscan] gpg verification failing due to renaming of signature file

Mathias Behrle mathiasb at m9s.biz
Thu May 8 16:10:42 UTC 2014 

Package: devscripts
Version: 2.14.1
Severity: important

Dear Maintainer,

   Running uscan for Tryton packages [1] currently fails for
   recently signed packages.

   tryton-client:

   -- Scanning for watchfiles in .
   -- Found watchfile in ./debian
   -- In debian/watch, processing watchfile line:
      opts=pgpsigurlmangle=s/$/.asc/
      http://downloads.tryton.org/current/
      .*tryton-(\d.*)\.(?:tgz|tbz2|txz|tar\.(?:gz|bz2|xz))
   -- Found the following matching hrefs:
     tryton-3.2.0.tar.gz (3.2.0)
     tryton-3.2.0.tar.gz (3.2.0)
     tryton-3.2.1.tar.gz (3.2.1)
     tryton-3.2.1.tar.gz (3.2.1)
     Newest version on remote site is 3.2.1, local
		  version is 3.2.0
     => Newer version available from
		       http://downloads.tryton.org/current/tryton-3.2.1.tar.gz
     -- Downloading updated package
	       tryton-3.2.1.tar.gz
     -- Downloading OpenPGP signature for
	       package as tryton-3.2.1.tar.gz.pgp
      -- Verifying OpenPGP signature
	       tryton-3.2.1.tar.gz.pgp for
	       tryton-3.2.1.tar.gz
       gpgv: Unterschrift vom Mi 07 Mai 2014
			       20:59:29 CEST mittels DSA-Schlüssel ID
			       15B3323F
       gpgv: Unterschrift kann nicht geprüft
			       werden: Öffentlicher Schlüssel nicht
			       gefunden
       uscan warning: OpenPGP signature did not
			       verify.

   
   Running the verification from the command line reveals, that it
   succeeds with the original file (.asc), but not with the renamed file (.pgp):


   (x86_64)mathiasb at obelix:~/bin/tryton/projects/debian_builder$ gpg
   --verify tryton-3.2.1.tar.gz.pgp 
   gpg: keine unterschriebene Daten
   gpg: can't hash datafile: Fehler beim Öffnen der Datei
   
   (x86_64)mathiasb at obelix:~/bin/tryton/projects/debian_builder$ gpg
   --verify tryton-3.2.1.tar.gz.asc
   gpg: Unterschrift vom Mi 07 Mai 2014 20:59:29 CEST mittels
   DSA-Schlüssel ID 15B3323F
   gpg: Korrekte Unterschrift von "Cédric Krier <cedk at gentoo.org>"
   gpg:                     alias "Cédric Krier <ced at ced.homedns.org>"
   gpg:                     alias "Cédric Krier <cedric.krier at b2ck.com>"
   gpg:                     alias "Cédric Krier
   <krier.cedric at gmail.com>"
   gpg:                     alias "Cédric Krier <ced at b2ck.com>"
   gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige
   Signatur!
   gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem
   vorgeblichen Besitzer gehört.
   Haupt-Fingerabdruck  = 7097 C031 5CCB 53D2 3317  4D68 3CAD 3FD4 4995
   5603
   Unter-Fingerabdruck  = A2A8 3D39 F7B1 E5B8 1BE3  4254 99DE 4FB5 15B3
   323F

   Is there a special reason, why signature are renamed instead of using
   the original ones?

   Cheers,
   Mathias

[1]
https://alioth.debian.org/plugins/scmgit/cgi-bin/gitweb.cgi?a=project_list&s=tryton%2F&btnS=Search


-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
DEBSIGN_MAINT='Mathias Behrle <mathiasb at m9s.biz>'
DEBSIGN_KEYID=8405BBF6
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-i -ICVS -I.svn -I.hg -I.git"
DEBUILD_LINTIAN=yes
DEBUILD_LINTIAN_OPTS="-i -I --show-overrides"

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable'), (400, 'unstable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages devscripts depends on:
ii  dpkg-dev     1.17.9
ii  libc6        2.18-5
ii  perl         5.18.2-2+b1
ii  python3      3.3.4-1
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  at                          3.1.14-1
ii  curl                        7.36.0-2
ii  dctrl-tools                 2.23
ii  debian-keyring              2014.04.25
ii  dput                        0.9.6.4
ii  equivs                      2.0.9
ii  fakeroot                    1.18.4-2
ii  gnupg                       1.4.16-1.1
ii  libdistro-info-perl         0.12
ii  libencode-locale-perl       1.03-1
ii  libjson-perl                2.61-1
ii  liblwp-protocol-https-perl  6.04-2
pn  libparse-debcontrol-perl    <none>
pn  libsoap-lite-perl           <none>
ii  liburi-perl                 1.60-1
ii  libwww-perl                 6.06-1
ii  lintian                     2.5.22.1
ii  man-db                      2.6.7.1-1
ii  patch                       2.7.1-5
ii  patchutils                  0.3.3-1
pn  python3-debian              <none>
pn  python3-magic               <none>
ii  sensible-utils              0.0.9
ii  strace                      4.5.20-2.3
ii  unzip                       6.0-12
ii  wdiff                       1.2.1-3
ii  wget                        1.15-1
ii  xz-utils                    5.1.1alpha+20120614-2

Versions of packages devscripts suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20131005cvs-1
ii  build-essential              11.6
pn  cvs-buildpackage             <none>
pn  devscripts-el                <none>
ii  gnuplot                      4.6.5-1
ii  gpgv                         1.4.16-1.1
pn  libauthen-sasl-perl          <none>
pn  libfile-desktopentry-perl    <none>
ii  libnet-smtp-ssl-perl         1.01-3
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-2
pn  libyaml-syck-perl            <none>
ii  mailx                        1:20081101-2
ii  mutt                         1.5.23-1
ii  openssh-client [ssh-client]  1:6.6p1-4
pn  svn-buildpackage             <none>
ii  w3m                          0.5.3-15

-- no debconf information

More information about the tryton-debian mailing list