Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key

Boyuan Yang Mon, 10 Jul 2023 21:00:17 -0700

Package: dgit
Version: 10.7
Severity: normal


This looks like a rare corner case, but currently when executing
"dgit push-source --overwrite" in my dgit-enabled repo, the gpg
signing will fail. Example:

================================================
[~/src/debian/debian/a2ps] [dgit/sid]
-> % LC_ALL=C dgit push-source --overwrite
Format `3.0 (quilt)', need to check/update patch stack
canonical suite name for unstable is sid
examining quilt state (multiple patches, linear mode)
dgit: base trees orig=4a009d596d191de47129 o+d/p=f1fc1e16b704bfe79d25
dgit: quilt differences: src:  ## orig ##     gitignores:  == orig ==
dgit: quilt differences:      HEAD == o+d/p               HEAD == o+d/p
starting quiltify (multiple patches, linear mode)
quiltify linearisation planning successful, executing...
nothing quilty to commit, ok.
dpkg-source: info: using options from work/debian/source/options: --extend-
diff-ignore=^(FAQ|doc/(a2ps.info|stamp-
vti|version.texi)|man/(a2ps.1|card.1|fixps.1|pdiff.1|psmandup.1|psset.1))$
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: verifying ./a2ps_4.15.5.orig.tar.gz.asc
dpkg-source: info: building a2ps using existing ./a2ps_4.15.5.orig.tar.gz
dpkg-source: info: building a2ps using existing ./a2ps_4.15.5.orig.tar.gz.asc
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: building a2ps in a2ps_4.15.5-1.debian.tar.xz
dpkg-source: info: building a2ps in a2ps_4.15.5-1.dsc
changelog will contain changes since 1:4.15.5-1
dpkg-genchanges: warning: 'since' option specifies most recent version
'1:4.15.5-1', ignoring
dpkg-genchanges: info: including full source code in upload
last upload to archive: NO git hash
using existing a2ps_4.15.5.orig.tar.gz
using existing a2ps_4.15.5.orig.tar.gz.asc
using existing a2ps_4.15.5-1.debian.tar.xz
dpkg-source: info: extracting a2ps in a2ps-4.15.5
dpkg-source: info: unpacking a2ps_4.15.5.orig.tar.gz
dpkg-source: info: unpacking a2ps_4.15.5-1.debian.tar.xz
synthesised git commit from .dsc 1:4.15.5-1
nothing quilty to commit, ok.
Checking package changelog for archive version 1:4.15.5-1 ...
checking that a2ps_4.15.5-1.dsc corresponds to HEAD
dpkg-source: warning: extracting unsigned source package
(/home/hosiet/src/debian/debian/a2ps/../a2ps_4.15.5-1.dsc)
dpkg-source: info: extracting a2ps in a2ps-4.15.5
dpkg-source: info: unpacking a2ps_4.15.5.orig.tar.gz
dpkg-source: info: unpacking a2ps_4.15.5-1.debian.tar.xz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: applying 06-encoding.diff
dpkg-source: info: applying etcmakefile.-pass-arguments-to-date-to-s.patch
dpkg-source: info: applying doca2ps.texi-remove-dates-from-generated.patch
edited .changes for archive .orig contents: removed a2ps_4.15.5.orig.tar.gz
edited .changes for archive .orig contents: removed
a2ps_4.15.5.orig.tar.gz.asc
gpg: skipped "Boyuan Yang <by...@debian.org>": No secret key
gpg: signing failed: No secret key
dgit: failed command: gpg --detach-sign --armor -u 'Boyuan Yang
<by...@debian.org>' /home/hosiet/src/debian/debian/a2ps/.git/dgit/tag.tmp

dgit: error: subprocess failed with error exit status 2
! Push failed, while signing the tag.
! You can retry the push, after fixing the problem, if you like.
=======================================================


Obviously dgit is trying to invoke gpg using the following argument:

gpg --detach-sign -u '$DEBFULLNAME <$DEBEMAIL>' /path/to/file

However, my gpg key has a comment section:

-> % LC_ALL=C gpg --list-secret-keys 
/home/hosiet/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096 2016-11-10 [SC] [expires: 2034-03-14]
      7E7729476D87D6F11D91ACCBC293E7B461825ACE
uid           [ultimate] Boyuan Yang (Debian Project) <by...@debian.org>
uid           [ultimate] Boyuan Yang <073p...@gmail.com>
uid           [ultimate] Yang, Boyuan (University of Pittsburgh)
<by.y...@pitt.edu>
ssb   rsa4096 2016-11-10 [E] [expires: 2034-03-13]

Which means that -u '$DEBFULLNAME <$DEBEMAIL>' will fail, and only invoking
-u '$DEBFULLNAME ($GPG_COMMENT) <$DEBMEAIL>' will success:


==================================
-> % LC_ALL=C gpg --sign -u 'Boyuan Yang <by...@debian.org>' ChangeLog ; echo
$?       
gpg: skipped "Boyuan Yang <by...@debian.org>": No secret key
gpg: signing failed: No secret key
2


-> % LC_ALL=C gpg --sign -u 'Boyuan Yang (Debian Project) <by...@debian.org>'
ChangeLog ; echo $?
0
=================================

Can we make the invocation to gpg more robust? Or, can we allow using
some environment variable to provide the gpg key fingerprint used for
signature? If there is indeed such config option somewhere, please let me
know. Thanks!


Best,
Boyuan Yang

signature.asc
Description: This is a digitally signed message part

Bug#1040816: dgit: gpg signing fail when comment section exist in gpg key

Reply via email to