[lintian] 02/02: Detect lack of upstream key in case of watch file signature checking.

To: debian-lint-maint@lists.debian.org
Subject: [lintian] 02/02: Detect lack of upstream key in case of watch file signature checking.
From: Bastien ROUCARIES <broucaries-guest@alioth.debian.org>
Date: Mon, 04 Nov 2013 21:00:09 +0000
Message-id: <[🔎] E1VdRFp-0005Oq-J4@vasks.debian.org>
Reply-to: Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
In-reply-to: <[🔎] 20131104210008.20669.70997@vasks.debian.org>
References: <[🔎] 20131104210008.20669.70997@vasks.debian.org>

This is an automated email from the git hooks/post-receive script.

broucaries-guest pushed a commit to branch master
in repository lintian.

commit 384af31362923a2c787cae9bd82b8600fab33849
Author: Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
Date:   Mon Nov 4 21:57:57 2013 +0100

    Detect lack of upstream key in case of watch file signature checking.
    
    Check for missing debian/upstream-signing-key.pgp
    
    Signed-off-by: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
---
 checks/watch-file.desc |    9 +++++++++
 checks/watch-file.pm   |    7 +++++++
 debian/changelog       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index a36a0b0..480b085 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -161,6 +161,15 @@ Info: This watch file does not include a means to verify the
  attacker to get such code to a wider audience through
  distributions like Debian.
 
+Tag: debian-watch-file-pubkey-file-is-missing
+Severity: important
+Certainty: certain
+Ref: uscan(1)
+Info: This watch file verify cryptographic signature but
+ the upstream public key is missing.
+ .
+ Please add upstream public keys in debian/upstream-signing-key.pgp.
+
 Tag: debian-watch-contains-dh_make-template
 Severity: wishlist
 Certainty: certain
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index 6a1560e..2ab58aa 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -181,6 +181,13 @@ sub run {
     tag 'debian-watch-contains-dh_make-template' if ($template);
     tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
 
+    if ($withgpgverification) {
+         my $pgpfile = $info->debfiles('upstream-signing-key.pgp');
+         if (!-f $pgpfile) {
+             tag 'debian-watch-file-pubkey-file-is-missing';
+         }
+    }
+
     my $changes = $info->changelog;
     if (defined $changes and %dversions) {
         my $data = $changes->data;
diff --git a/debian/changelog b/debian/changelog
index 2687798..0b837e4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ lintian (2.5.20) UNRELEASED; urgency=low
       cause (Closes: #723886).
   * checks/watch.{desc,pm}:
     + [BR] Detect lack of uscan support for gpg signature.
+      (Closes: #711553).
 
   * data/binary/embedded-libs:
     + [RG] Detect embedded copies of poppler/xpdf.  (Closes: #724733)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git

Reply to:

References:
- [lintian] branch master updated (966dba7 -> 384af31)
  - From: Bastien ROUCARIES <broucaries-guest@alioth.debian.org>

Prev by Date: [lintian] branch master updated (3390e73 -> 966dba7)
Next by Date: [lintian] branch master updated (966dba7 -> 384af31)
Previous by thread: [lintian] branch master updated (966dba7 -> 384af31)
Next by thread: Bug#729034: [checks/files] obsolete "See rc.boot(5) for details"
Index(es):
- Date
- Thread