Bug#758054: marked as done ([lintian] dpkg-sig signed package triggering misplaced-extra-member-in-deb error)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 24 Aug 2014 13:14:03 +0200
with message-id <53F9C8FB.3000500@thykier.net>
and subject line Re: Bug#758054: [lintian] dpkg-sig signed package triggering misplaced-extra-member-in-deb error
has caused the Debian Bug report #758054,
regarding [lintian] dpkg-sig signed package triggering misplaced-extra-member-in-deb error
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
758054: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758054
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: [lintian] dpkg-sig signed package triggering misplaced-extra-member-in-deb error
• From: OmegaPhil <OmegaPhil00@startmail.com>
• Date: Wed, 13 Aug 2014 20:37:52 +0100
• Message-id: <[🔎] 53EBBE90.3000408@startmail.com>

Package: lintian
Version: 2.5.25
Severity: normal

I'm investigating signing Debian archives with dpkg-sig (available in
the repos) - after modifying an archive with a signature, lintian
reports the following warning:

=================================================================

misplaced-extra-member-in-deb _gpgbuilder (unexpected member at position 3)

=================================================================

While dpkg-sig is not widespread, presumably its official enough not to
trigger an error?

For testing, get the name of your gpg key, export
DEBSIGN_MAINT="<name>", then:

================================

dpkg-sig --sign "builder" *.deb

================================

To verify a signature:

========================

dpkg-sig --verify *.deb

========================


--- System information. ---
Architecture: amd64
Kernel:       Linux 3.14-2-amd64

Debian Release: jessie/sid
  990 testing         10.1.0.3
  500 unstable        10.1.0.3
  500 quodlibet-unstable 10.1.0.3
    1 experimental    10.1.0.3

--- Package information. ---
Depends                            (Version) | Installed
============================================-+-===========
binutils                                     | 2.24.51.20140727-1
bzip2                                        | 1.0.6-7
diffstat                                     | 1.58-1
file                                         | 1:5.19-1
gettext                                      | 0.19.2-1
hardening-includes                           | 2.5
intltool-debian                              | 0.35.0+20060710.1
libapt-pkg-perl                              | 0.1.29+b1
libarchive-zip-perl                          | 1.37-2
libclass-accessor-perl                       | 0.34-1
libclone-perl                                | 0.37-1
libdigest-sha-perl                           |
libdpkg-perl                                 | 1.17.10
libemail-valid-perl                          | 1.194-1
libfile-basedir-perl                         | 0.03-1
libipc-run-perl                              | 0.92-1
liblist-moreutils-perl                       | 0.33-2
libparse-debianchangelog-perl                | 1.2.0-1
libtext-levenshtein-perl                     | 0.09-1
libtimedate-perl                             | 2.3000-2
liburi-perl                                  | 1.64-1
man-db                                       | 2.6.7.1-1
patchutils                                   | 0.3.3-1
perl                                         | 5.18.2-7
t1utils                                      | 1.37-2


Recommends               (Version) | Installed
==================================-+-===========
libautodie-perl          (>= 2.18) | 2.25-1
libperlio-gzip-perl                | 0.18-3


Suggests                   (Version) | Installed
====================================-+-===========
binutils-multiarch                   |
dpkg-dev                             | 1.17.10
libhtml-parser-perl                  | 3.71-1+b1
libtext-template-perl                |
libyaml-perl                         | 0.98-1
xz-utils                             | 5.1.1alpha+20120614-2

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: OmegaPhil <OmegaPhil00@startmail.com>, 758054-done@bugs.debian.org
• Subject: Re: Bug#758054: [lintian] dpkg-sig signed package triggering misplaced-extra-member-in-deb error
• From: Niels Thykier <niels@thykier.net>
• Date: Sun, 24 Aug 2014 13:14:03 +0200
• Message-id: <53F9C8FB.3000500@thykier.net>
• In-reply-to: <[🔎] 53EBBE90.3000408@startmail.com>
• References: <[🔎] 53EBBE90.3000408@startmail.com>

Control: tags -1 wontfix

On 2014-08-13 21:37, OmegaPhil wrote:
> Package: lintian
> Version: 2.5.25
> Severity: normal
> 
> I'm investigating signing Debian archives with dpkg-sig (available in
> the repos) - after modifying an archive with a signature, lintian
> reports the following warning:
> 
> =================================================================
> 
> misplaced-extra-member-in-deb _gpgbuilder (unexpected member at position 3)
> 
> =================================================================
> 
> While dpkg-sig is not widespread, presumably its official enough not to
> trigger an error?
> 
> [...]

Thanks for taking the time to report the bug.

Unfortunately, these methods of signing debs are not official and are
not even permitted in uploads.  Until there is an officially sanctioned
method for signing debs, I will be tagging this wontfix.

~Niels

--- End Message ---