diff options
| author | Guillem Jover <guillem@debian.org> | 2014-10-14 20:05:54 +0200 |
|---|---|---|
| committer | Guillem Jover <guillem@debian.org> | 2014-10-23 01:56:02 +0200 |
| commit | c5aa5d8e00d076a4ca4b35ab8f2a3eb082bb6cd5 (patch) | |
| tree | 2f54dd5cf28ed6684a3375fe6fdffb6266bdcc03 /scripts | |
| parent | 9ee62ecfc8937f24a82805a424564997042dd984 (diff) | |
| download | dpkg-c5aa5d8e00d076a4ca4b35ab8f2a3eb082bb6cd5.tar.gz | |
Dpkg::Source::Package::V2: Allow detached upstream signatures
Upstream tarballs usually come with detached signatures, which would be
useful to have in the source package, as an additional check that could
be performed to verify its integrity and provenance.
For now just allow the detached signatures to be listed in the file
fields in the source control file (.dsc).
Closes: #759478
Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/Dpkg/Source/Package/V2.pm | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/scripts/Dpkg/Source/Package/V2.pm b/scripts/Dpkg/Source/Package/V2.pm index cd8354b91..14e7a55f4 100644 --- a/scripts/Dpkg/Source/Package/V2.pm +++ b/scripts/Dpkg/Source/Package/V2.pm @@ -116,16 +116,23 @@ sub do_extract { my $basenamerev = $self->get_basename(1); my ($tarfile, $debianfile, %addonfile, %seen); + my ($tarsign, %addonsign); my $re_ext = compression_get_file_extension_regex(); foreach my $file ($self->get_files()) { - (my $uncompressed = $file) =~ s/\.$re_ext$//; - error(_g('duplicate files in %s source package: %s.*'), 'v2.0', + my $uncompressed = $file; + $uncompressed =~ s/\.$re_ext$/.*/; + $uncompressed =~ s/\.$re_ext\.asc$/.*.asc/; + error(_g('duplicate files in %s source package: %s'), 'v2.0', $uncompressed) if $seen{$uncompressed}; $seen{$uncompressed} = 1; if ($file =~ /^\Q$basename\E\.orig\.tar\.$re_ext$/) { $tarfile = $file; + } elsif ($file =~ /^\Q$basename\E\.orig\.tar\.$re_ext\.asc$/) { + $tarsign = $file; } elsif ($file =~ /^\Q$basename\E\.orig-([[:alnum:]-]+)\.tar\.$re_ext$/) { $addonfile{$1} = $file; + } elsif ($file =~ /^\Q$basename\E\.orig-([[:alnum:]-]+)\.tar\.$re_ext\.asc$/) { + $addonsign{$1} = $file; } elsif ($file =~ /^\Q$basenamerev\E\.debian\.tar\.$re_ext$/) { $debianfile = $file; } else { @@ -137,6 +144,18 @@ sub do_extract { unless ($tarfile and $debianfile) { error(_g('missing orig.tar or debian.tar file in v2.0 source package')); } + if ($tarsign and $tarfile ne substr $tarsign, 0, -4) { + error(_g('mismatched orig.tar %s for signature %s in source package'), + $tarfile, $tarsign); + } + foreach my $name (keys %addonsign) { + error(_g('missing addon orig.tar for signature %s in source package'), + $addonsign{$name}) + if not exists $addonfile{$name}; + error(_g('mismatched addon orig.tar %s for signature %s in source package'), + $addonfile{$name}, $addonsign{$name}) + if $addonfile{$name} ne substr $addonsign{$name}, 0, -4; + } erasedir($newdirectory); |