Package: devscripts
Version: 2.25.15
Severity: serious
File: /usr/bin/uscan
X-Debbugs-Cc: wa...@debian.org, uklei...@debian.org
Hello,
the linux-kernel packages suffer from upstream still relying on SHA-1 in
their OpenPGP keys. This makes uscan fail to provide the orig.tar.xz
(as expected) when sopv is used to verify the download:
uwe@taurus:~/debpkg/linux$ uscan --download-current-version
uscan warn: Using stable remote origin
Newest version of linux on remote site is 6.16~rc5, specified download
version is 6.16~rc5
No acceptable signatures found
uscan: error: sopv verify /tmp/tmp.YLvUuQ1SxZ/sig
debian/upstream/signing-key.asc subprocess returned exit status 3
However uscan keeps ../linux-6.16~rc5.tar.xz after that which makes the
next uscan run succeed even though the signature check didn't pass:
uwe@taurus:~/debpkg/linux$ uscan --download-current-version
uscan warn: Using stable remote origin
Newest version of linux on remote site is 6.16~rc5, specified download
version is 6.16~rc5
uscan warn: File already downloaded, skipping OpenPGP verification
Successfully repacked ../linux-6.16~rc5.tar.xz as
../linux_6.16~rc5.orig.tar.xz, deleting 28 files from it.
Without `--skip-signature` this must not happen and the warning isn't
enough.
The obvious fixes would be to either put linux-6.16~rc5.tar.xz into a
tmpfile only (i.e. under a different name) until signature verification
passed; or to not skip the verification in the 2nd run.
Best regards
Uwe
