Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
- To: Chris Lamb <lamby@debian.org>, 920763@bugs.debian.org
- Subject: Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Tue, 26 Feb 2019 03:04:43 -0500
- Message-id: <[🔎] 87sgwbm0v8.fsf@fifthhorseman.net>
- Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 920763@bugs.debian.org
- In-reply-to: <1548750590.4098900.1645903600.28E68FCC@webmail.messagingengine.com>
- References: <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net> <1548750590.4098900.1645903600.28E68FCC@webmail.messagingengine.com> <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net>
Control: tags 920763 - moreinfo
Hi Chris--
On Tue 2019-01-29 09:29:50 +0100, Chris Lamb wrote:
> Probably a silly question for this time in the morning but what is
> stopping you extracting the associated signature and calling it
> $origname.asc?
the signature matches the git commit, but not the tarball. If we have a
$origname.asc i think it's expected to be verifiable via:
gpgv $origname.asc $origname
but that would pretty clearly fail.
> (If this is not possible/sensible/whatever, if Lintian essentially
> grepped debian/watch, would that be good enough?)
Ideally, lintian would verify that there exists a signed tag in the git
repo found at Vcs-Git: (from d/control), which matches the name of
upstream-tag (from d/gbp.conf), and whose contents corresponds to the
expected contents of the orig.tar.gz (presumably with a standardized
prefix). One approach would be to:
* identify the tag by its expected name
* cryptogrpahically verify it
* extract the expected archive from the git repo via sth. like
git archive --format=tar --prefix=$pkgname-$origversion/
piped through the expected buildpackage.compression value (from d/gbp.conf)
* compare it bytewise with $origname
I suspect that will work in most cases, though i don't know whether git
has explicitly committed to a stable output for git archive
--format=tar.
If going that far is too fancy for lintian for now, then a simple grep
of d/watch would do for starters, and we could just convert this bug
report to a suggestion for future lintian enhancement.
Regards,
--dkg
Reply to: