[Git][ftp-team/dak][master] 2 commits: debianqueued: Do not output signature validity

[Ansgar <ansgar@debian.org>]

Title: GitLab

Ansgar pushed to branch master at Debian FTP Team / dak

Commits:

• 29f3be3f
  by Kees Cook at 2020-02-28T21:50:27-08:00

  debianqueued: Do not output signature validity
  
  Default GPG signature verification output has a trailing validity
  identifier ("[ultimate]", "[unknown]", etc) now, so the gpg signature
  checking regex was no longer matching. This resulted in surprising log
  lines like:
  
  Feb 29 04:59:31 processing /kees-1582951501.dak-commands
  Feb 29 04:59:31 (PGP/GnuPG signature by unknown signator)
  
  Existing regex is:
    $output =~ /^(gpg: )?good signature from (user )?"(.*)"\.?$/im;
  
  Current gpg sees:
  
  $ gpg --verify --no-default-keyring --keyring /srv/keyring.debian.org/keyrings/debian-keyring.gpg kees-1582951501.dak-commands
  gpg: Signature made Sat 29 Feb 2020 04:45:01 AM UTC
  gpg:                using RSA key A5C3F68F229DD60F723E6E138972F4DFDC6DC026
  gpg: Good signature from "Kees Cook <kees@outflux.net>" [unknown]
  gpg:                 aka "Kees Cook <kees@debian.org>" [unknown]
  ...
  
  Instead, launch gpg with --verify-options no-show-uid-validity to avoid
  breaking the regex.
  
  While here, I made the more robust by adding "?:" prefixes to the unused
  regex match groups so the assignment on the next line can always use $1:
  
    ( $signator = $1 ) ||= "unknown signator";
  

• b9982e65
  by Ansgar at 2020-04-09T12:31:49+02:00

  Merge remote-tracking branch 'origin/merge-requests/180'
  

1 changed file:

• tools/debianqueued-0.9/debianqueued

Changes:

tools/debianqueued-0.9/debianqueued

---

...	...	@@ -1672,6 +1672,7 @@ sub pgp_check($) {
1672	1672	my @command = ("$conf::gpg", "--no-options", "--batch", "--no-tty",
1673	1673	"--trust-model", "always", "--no-default-keyring",
1674	1674	(map +("--keyring" => $_), @conf::keyrings),
	1675	+ "--verify-options", "no-show-uid-validity",
1675	1676	"--verify", "-");
1676	1677	debug( "executing " . join(" ", @command) );
1677	1678
...	...	@@ -1706,8 +1707,8 @@ sub pgp_check($) {
1706	1707	return "";
1707	1708	} ## end if ($stat)
1708	1709
1709		- $output =~ /^(gpg: )?good signature from (user )?"(.*)"\.?$/im;
1710		- ( $signator = $3 ) ||= "unknown signator";
	1710	+ $output =~ /^(?:gpg: )?good signature from (?:user )?"(.*)"\.?$/im;
	1711	+ ( $signator = $1 ) ||= "unknown signator";
1711	1712	if ($conf::debug) {
1712	1713	debug("GnuPG signature ok (by $signator)");
1713	1714	}

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.