the upstream changelog for a full description of the semantics.
Based on a patch by Matt Zimmerman. Closes: #48711
the .dsc when building. This also normalizes the
fields.
+2005-10-03 Matt Zimmerman <mdz@debian.org>,
+ Frank Lichtenheld <djpig@debian.org>
+
+ * scripts/dpkg-source.pl: If gpg is installed, check
+ the signature of the .dsc file before unpacking.
+ Allow the unpacking to suceed if the .dsc is unsigned
+ but error out if the signature is bad. If gpg exits
+ with a code >2 (e.g. missing key), show the user the gpg
+ output but continue.
+
2005-10-03 Frank Lichtenheld <djpig@debian.org>
* scripts/dpkg-source.pl: Try to chown files extracted from
* Let dpkg-source -b check the build relation fields before
putting them into the .dsc. As a side effect they also
get normalized. Closes: #254449
+ * Check the gpg signatures of .dsc files before unpacking. See
+ the upstream changelog for a full description of the semantics.
+ Based on a patch by Matt Zimmerman. Closes: #48711
--
}
exit(0);
-} else {
+} else { # -> opmode ne 'build'
$sourcestyle =~ y/X/p/;
$sourcestyle =~ m/[pun]/ ||
! -e $newdirectory || &error("unpack target exists: $newdirectory");
}
+ my $is_signed = 0;
+ open(DSC,"< $dsc") || &error("cannot open .dsc file $dsc: $!");
+ while (<DSC>) {
+ next if /^\s*$/o;
+ $is_signed = 1 if /^-----BEGIN PGP SIGNED MESSAGE-----$/o;
+ last;
+ }
+ close(DSC);
+
+ if ($is_signed) {
+ if (-x '/usr/bin/gpg') {
+ my $gpg_command = 'gpg -q --verify '.quotemeta($dsc).' 2>&1';
+ my @gpg_output = `$gpg_command`;
+ my $gpg_status = $? >> 8;
+ if ($gpg_status) {
+ print STDERR join("",@gpg_output);
+ &error("failed to verify signature on $dsc")
+ if ($gpg_status == 1);
+ }
+ } else {
+ &warn("could not verify signature on $dsc since gpg isn't installed");
+ }
+ } else {
+ &warn("extracting unsigned source package ($dsc)");
+ }
+
open(CDATA,"< $dsc") || &error("cannot open .dsc file $dsc: $!");
&parsecdata('S',-1,"source control file $dsc");
close(CDATA);
projects / dpkg / commitdiff