[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc



Axel Beckert wrote...

> That might be something for lintian-brush once a lintian check is
> there. Cc'ing Jelmer, the author of lintian-brush.

What's the status of that story? I hacked a few lines together that work at
least for the case where I encountered the problem. But it's fairly
fragile since parsing in a textual output is bad. It was way better to
*omit* --list-packets in the gpg invocation since then the output is by
definition machine-readable (and there is an "Expired!" alert on stderr
for free). Also upstream warns the output of --list-packets "may change
with new releases."

    Christoph
--- /usr/share/lintian/checks/debian/upstream/signing-key.pm
+++ /usr/share/lintian/checks/debian/upstream/signing-key.pm
@@ -122,15 +122,20 @@
 
             # look for third-party signatures
             my @thirdparty;
+            my $expired;
             for my $packet (@packets) {
 
                 my $header = $packet->[0];
+                my $body = $packet->[1];
                 if ($header =~ qr/^:signature packet: algo \d+, keyid (\S*)$/){
 
                     my $signatory = $1;
                     push(@thirdparty, $signatory)
                       unless $signatory eq $keyid;
                 }
+                if ($body =~ qr/ expires 0/) {
+                    $expired = 1;
+                }
             }
 
             # signatures by parties other than self
@@ -141,6 +146,9 @@
                 $key_name,
                 "has $extrasignatures extra signature(s) for keyid $keyid")
               if $extrasignatures;
+            $self->hint('public-upstream-key-expired',
+                $key_name,'has expired keys')
+              if $expired;
         }
     }
 
Tag: public-upstream-key-expired
Severity: info
Check: debian/upstream/signing-key
See-Also: uscan(1)
Explanation: The source package contains a public upstream signing key that
 contains at least one key that has expired.
 .
 Please obtain the correct key from upstream.

Attachment: signature.asc
Description: PGP signature


Reply to: