Control: tags -1 -patch
On Mon, Jul 22, 2019 at 05:48:13PM +0100, James Clarke wrote:
> On 22 Jul 2019, at 17:16, Agustin Martin <agmar...@debian.org> wrote:
> > However, when using pdebuild --auto-debsign to sign files, only .changes
> > file is signed, but not its _source.changes counterpart, which is the file
> > I would have to upload. This results in pbuilder not creating properly
> > uploadable packages once source-only uploads are mandatory for bullseye.
> > This is why I use severity "important".
...
> >
> > Attached patch tries to make sure both .changes and _source.changes files
> > are signed with --auto-debsign.
Hi, James, thanks for que quick reply.
> This will only sign _source.changes, overriding _arch.changes, unlike what
> your
> commit message says.
You are right, I was convinced that _arch.changes was actually signed right
before _source.changes, but it was actually buildinfo. And I actually did
read the code really wrong, my fault. Did it very quickly and missed it was
an assignation. Shame on me :-(
> I don't particularly like --auto-debsign as a maintainer workflow, I feel like
> `debsign -S` (little-known fact: run that in the source directory and it will
> find the changes file in ../ automatically) should be an explicit step once
> you
> have checked your upload, but if people want to use the option then that's up
> to them.
Thanks for the suggestion
> I think the most sensible thing to do here is to automatically sign
> only the _source.changes, like this patch actually does (though you can remove
> your outer if condition, it's pointless), but with the correct commit message,
> because if you intend to upload the _arch.changes then why are you bothering
> to
> build a _source.changes too?
That depends on where you are uploading your packages. For Debian, just
_source.changes is needed, but I keep a personal repo where I upload the
.deb files, and I keep track of integrity through _arch.changes files.
Others may do something similar. That is the reason why I prefer a single
buildchain whose result is valid for all cases, depending on what .changes
file is used.
However, I tried more approaches and the conclusion is that, unless I am
missing something, you are right. The sensible thing seeems to be that
"pdebuild --auto-debsign" should, with SOURCE_ONLY_CHANGES=yes, sign only
_source.changes file. Do it as you prefer, changing the check ordering in
the original pdebuild AUTO_DEBSIGN section together with checking for
SOURCE_ONLY_CHANGES=yes should also work and is probably simpler than my
original patch.
For curiosity, the details of what I tried go below.
I modified the patch to make sure both _{arch,source}.changes files are
signed, in two different debsign calls, but a new problem appears, each call
tries to sign .buildinfo files and second one asks user whether to use
current signature. Accepting seems to give a good result, but this is
definitely not something for a normal user, who will find it very
confusing.
While I am attaching current patch for curiosity, I am removing the patch
tag, since I think this is not for actual use.
Thanks for your work in pbuilder,
Best regards,
--
Agustin
>From ea0c8eb50427f1af955a7a1c4e81c802d075ea4c Mon Sep 17 00:00:00 2001
From: Agustin Martin Domingo <agmar...@debian.org>
Date: Tue, 23 Jul 2019 11:32:09 +0200
Subject: [PATCH] pdebuild: DO NOT USE Play with Sign both .changes and
_source.changes files if present.
When SOURCE_ONLY_CHANGES=yes is set in .pbuilderrc both .changes and
_source.changes files will be created.
However, the _source.changes file will only be signed if no .changes
is present.
This patch should make pdebuild sign both if present. However, this
triggers a problem, user is asked whether to reuse current key for
buildinfo, and while accepting gives a good result, process is
confusing and NOT SUITABLE FOR GENERAL USE.
---
pdebuild | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/pdebuild b/pdebuild
index 7d5f5ed..94df5b2 100644
--- a/pdebuild
+++ b/pdebuild
@@ -113,13 +113,19 @@ if [ "${AUTO_DEBSIGN}" = "yes" ]; then
if [ -n "${DEBSIGN_KEYID}" ]; then
DEBSIGN_PARAM[1]="-k${DEBSIGN_KEYID}"
fi
+ unset DEBSIGN_HAS_CHFILES || true
if [ -f "${BUILDRESULT}/${CHANGES}" ]; then
DEBSIGN_PARAM[2]="${BUILDRESULT}/${CHANGES}"
- elif [ -f "${BUILDRESULT}/${SOURCE_CHANGES}" ]; then
+ DEBSIGN_HAS_CHFILES="ok"
+ debsign "${DEBSIGN_PARAM[@]}"
+ fi
+ if [ -f "${BUILDRESULT}/${SOURCE_CHANGES}" ]; then
DEBSIGN_PARAM[2]="${BUILDRESULT}/${SOURCE_CHANGES}"
- else
- log.e "the .changes file can't be found, debsign not done"
+ DEBSIGN_HAS_CHFILES="ok"
+ debsign "${DEBSIGN_PARAM[@]}"
+ fi
+ if [ -z ${DEBSIGN_HAS_CHFILES} ]; then
+ log.e "the _{arch,source}.changes file(s) can't be found, debsign not done"
exit 1
fi
- debsign "${DEBSIGN_PARAM[@]}"
fi
--
2.22.0
