[lintian] 02/02: Detect lack of upstream key in case of watch file signature checking.
This is an automated email from the git hooks/post-receive script.
broucaries-guest pushed a commit to branch master
in repository lintian.
commit 384af31362923a2c787cae9bd82b8600fab33849
Author: Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
Date: Mon Nov 4 21:57:57 2013 +0100
Detect lack of upstream key in case of watch file signature checking.
Check for missing debian/upstream-signing-key.pgp
Signed-off-by: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
---
checks/watch-file.desc | 9 +++++++++
checks/watch-file.pm | 7 +++++++
debian/changelog | 1 +
3 files changed, 17 insertions(+)
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index a36a0b0..480b085 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -161,6 +161,15 @@ Info: This watch file does not include a means to verify the
attacker to get such code to a wider audience through
distributions like Debian.
+Tag: debian-watch-file-pubkey-file-is-missing
+Severity: important
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file verify cryptographic signature but
+ the upstream public key is missing.
+ .
+ Please add upstream public keys in debian/upstream-signing-key.pgp.
+
Tag: debian-watch-contains-dh_make-template
Severity: wishlist
Certainty: certain
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index 6a1560e..2ab58aa 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -181,6 +181,13 @@ sub run {
tag 'debian-watch-contains-dh_make-template' if ($template);
tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
+ if ($withgpgverification) {
+ my $pgpfile = $info->debfiles('upstream-signing-key.pgp');
+ if (!-f $pgpfile) {
+ tag 'debian-watch-file-pubkey-file-is-missing';
+ }
+ }
+
my $changes = $info->changelog;
if (defined $changes and %dversions) {
my $data = $changes->data;
diff --git a/debian/changelog b/debian/changelog
index 2687798..0b837e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ lintian (2.5.20) UNRELEASED; urgency=low
cause (Closes: #723886).
* checks/watch.{desc,pm}:
+ [BR] Detect lack of uscan support for gpg signature.
+ (Closes: #711553).
* data/binary/embedded-libs:
+ [RG] Detect embedded copies of poppler/xpdf. (Closes: #724733)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: