Bug#833585: lintian: Check presence of upstream signature if signing key available
Hi,
> lintian: Check presence of upstream signature if signing key
> available
So, I just had a go at implementing this. However, I think I'm
misunderstanding something fundamental about how Lintian's Collect
classes work.
Namely, checks/changes-file.pm will only "see" .changes-related stuff;
if I want to check the source package for whether the signing key exists
I'll need a Lintian::Collect::Source… but I can't quite see how to access
that from within changes-file.pm.
In concrete terms, I (obviously) cannot call $info->index_resolved_path.
Any hints?
WIP patch attached:
commit 006256a6fb3bd13452180ca2abccacd3cd6762e4
Author: Chris Lamb <lamby@debian.org>
Date: Sat Jul 15 20:31:55 2017 +0100
checks/changes-file.desc | 6 ++++++
checks/changes-file.pm | 15 +++++++++++++++
checks/watch-file.pm | 7 ++-----
data/common/signing-key-filenames | 5 +++++
debian/changelog | 3 +++
...changes-file-missing-upstream-signature.changes.in | 18 ++++++++++++++++++
.../changes-file-missing-upstream-signature.desc | 4 ++++
...hanges-file-missing-upstream-signature.orig.tar.gz | Bin 0 -> 105 bytes
.../changes-file-missing-upstream-signature.tags | 1 +
9 files changed, 54 insertions(+), 5 deletions(-)
Regards,
--
,''`.
: :' : Chris Lamb, Debian Project Leader
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
>From 006256a6fb3bd13452180ca2abccacd3cd6762e4 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Sat, 15 Jul 2017 20:31:55 +0100
Subject: [PATCH] Check for the presence of a signature if an upstream signing
key is present. (Closes: #833585)
---
checks/changes-file.desc | 6 ++++++
checks/changes-file.pm | 15 +++++++++++++++
checks/watch-file.pm | 7 ++-----
data/common/signing-key-filenames | 5 +++++
debian/changelog | 3 +++
...changes-file-missing-upstream-signature.changes.in | 18 ++++++++++++++++++
.../changes-file-missing-upstream-signature.desc | 4 ++++
...hanges-file-missing-upstream-signature.orig.tar.gz | Bin 0 -> 105 bytes
.../changes-file-missing-upstream-signature.tags | 1 +
9 files changed, 54 insertions(+), 5 deletions(-)
create mode 100644 data/common/signing-key-filenames
create mode 100644 t/changes/changes-file-missing-upstream-signature.changes.in
create mode 100644 t/changes/changes-file-missing-upstream-signature.desc
create mode 100644 t/changes/changes-file-missing-upstream-signature.orig.tar.gz
create mode 100644 t/changes/changes-file-missing-upstream-signature.tags
diff --git a/checks/changes-file.desc b/checks/changes-file.desc
index 4506cccb1..c1fa0d6a4 100644
--- a/checks/changes-file.desc
+++ b/checks/changes-file.desc
@@ -179,3 +179,9 @@ Info: The distribution in the <tt>Changes</tt> field copied from
<tt>debian/changelog</tt> indicates that this package was not intended
to be released yet.
Ref: #542747
+
+Tag: signing-key-without-upstream-signature
+Severity: important
+Certainty: certain
+Info: The packaging includes an upstream signing key but the signature for
+ one or more source tarballs are not included in your .changes file.
diff --git a/checks/changes-file.pm b/checks/changes-file.pm
index 4b56525f6..b128887e9 100644
--- a/checks/changes-file.pm
+++ b/checks/changes-file.pm
@@ -29,6 +29,7 @@ use Lintian::Data;
use Lintian::Util qw(get_file_checksum);
my $KNOWN_DISTS = Lintian::Data->new('changes-file/known-dists');
+my $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames');
sub run {
my (undef, undef, $info) = @_;
@@ -175,12 +176,26 @@ sub run {
check_maintainer($info->field('changed-by'), 'changed-by');
}
+ my $has_signing_key = 0;
+ for my $key_name ($SIGNING_KEY_FILENAMES->all) {
+ my $path = $info->index_resolved_path("debian/$key_name");
+ if ($path and $path->is_file) {
+ $has_signing_key = 1;
+ last;
+ }
+ }
+
my $files = $info->files;
my $path = readlink($info->lab_data_path('changes'));
$path =~ s#/[^/]+$##;
foreach my $file (keys %$files) {
my $file_info = $files->{$file};
+ if ($has_signing_key && $file =~ m/\.orig\./ && $file !~ m/\.asc^/) {
+ next if exists $files->index_resolved_path{"$file.asc"};
+ tag 'signing-key-without-upstream-signaturew', "$file whut";
+ }
+
# check section
if ( ($file_info->{section} eq 'non-free')
or ($file_info->{section} eq 'contrib')) {
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index bfa5d9293..ca651f030 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -28,6 +28,7 @@ use autodie;
use Lintian::Tags qw(tag);
our $WATCH_VERSION = Lintian::Data->new('watch-file/version', qr/\s*=\s*/o);
+our $SIGNING_KEY_FILENAMES = Lintian::Data->new('common/signing-key-filenames');
sub run {
my (undef, undef, $info) = @_;
@@ -185,12 +186,8 @@ sub run {
tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
if ($withgpgverification) {
- my @key_names = (
- qw(upstream-signing-key.pgp upstream/signing-key.pgp
- upstream/signing-key.asc)
- );
my $found = 0;
- for my $key_name (@key_names) {
+ for my $key_name ($SIGNING_KEY_FILENAMES->all) {
my $path = $info->index_resolved_path("debian/$key_name");
if ($path and $path->is_file) {
$found = 1;
diff --git a/data/common/signing-key-filenames b/data/common/signing-key-filenames
new file mode 100644
index 000000000..f358063e6
--- /dev/null
+++ b/data/common/signing-key-filenames
@@ -0,0 +1,5 @@
+# Manually maintained list of possible upstream signing key locations
+#
+upstream-signing-key.pgp
+upstram/signing-key.pgp
+upstream/signing-key.asc
diff --git a/debian/changelog b/debian/changelog
index cc52719f2..14a66aa32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ lintian (2.5.52) UNRELEASED; urgency=medium
+ [NT] Remove check for missing versioned build-depends for dpkg
and debhlper when using Build-Profiles. The necessary versions
are now in oldstable.
+ * checks/changes-file.{desc,pm}:
+ + [CL] Check for the presence of a signature if an upstream signing
+ key is present. (Closes: #833585)
* checks/copyright-file.{desc,pm}:
+ [CL] Rename copyright-contains-dh-make-perl-boilerplate to
copyright-contains-automatically-extracted-boilerplate as it can
diff --git a/t/changes/changes-file-missing-upstream-signature.changes.in b/t/changes/changes-file-missing-upstream-signature.changes.in
new file mode 100644
index 000000000..81cc68606
--- /dev/null
+++ b/t/changes/changes-file-missing-upstream-signature.changes.in
@@ -0,0 +1,18 @@
+Format: 1.8
+Date: {$date}
+Source: {$source}
+Binary: {$source}
+Architecture: source all
+Version: {$version}
+Distribution: unstable
+Urgency: low
+Maintainer: {$author}
+Changed-By: {$author}
+Files:
+ 98af6e193d7e1d5f5d893bd646aa0d8c 105 devel optional {$source}.orig.tar.gz
+Checksums-Sha1:
+ 91b47e0803c00e5bc92a8201dd97a97ef3a2f46e 105 {$source}.log
+Checksums-Sha256:
+ 0bd9e55cb2c0f67beaa2d79df0d7ec028ff89ff8ae3e3031bd35888b77bb54c1 105 {$source}.orig.tar.gz
+Description:
+ {$source} - {$description}
diff --git a/t/changes/changes-file-missing-upstream-signature.desc b/t/changes/changes-file-missing-upstream-signature.desc
new file mode 100644
index 000000000..81ef38942
--- /dev/null
+++ b/t/changes/changes-file-missing-upstream-signature.desc
@@ -0,0 +1,4 @@
+Testname: changes-file-missing-upstream-signature
+Version: 1.0
+Description: Check presence of a signature if we have an upstream signing key
+Test-For: signing-key-without-upstream-signature
diff --git a/t/changes/changes-file-missing-upstream-signature.orig.tar.gz b/t/changes/changes-file-missing-upstream-signature.orig.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..3bf374f45fef1924202611f0cd6891dc158ba046
GIT binary patch
literal 105
zcmb2|=3oE;Cg!)Nw3!YW2)JI1^a^uOU!wS0Q;J9a;5$vGMn>1Gme0Drmj(ZcUFY^}
zb?KM>eXhA%-#$Nl;+pd7UHuxiW(E82P4m_)j5>Gx`1JehWx*zb2(vFN)wLe888jFe
E0E(6=<NyEw
literal 0
HcmV?d00001
diff --git a/t/changes/changes-file-missing-upstream-signature.tags b/t/changes/changes-file-missing-upstream-signature.tags
new file mode 100644
index 000000000..9d6cf4b7f
--- /dev/null
+++ b/t/changes/changes-file-missing-upstream-signature.tags
@@ -0,0 +1 @@
+FIXME
--
2.13.2
Reply to: