Debian Bug report logs - #862059
sbuild: please sign buildinfo files

version graph

Package: sbuild; Maintainer for sbuild is sbuild maintainers <sbuild@packages.debian.org>; Source for sbuild is src:sbuild (PTS, buildd, popcon).

Reported by: Steven Chamberlain <stevenc@debian.org>

Date: Sun, 7 May 2017 22:21:01 UTC

Severity: normal

Tags: patch

Found in version sbuild/0.73.0-4

Done: Ximin Luo <infinity0@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, stevenc@debian.org, reproducible-builds@lists.alioth.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#862059; Package sbuild. (Sun, 07 May 2017 22:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <stevenc@debian.org>:
New Bug report received and forwarded. Copy sent to stevenc@debian.org, reproducible-builds@lists.alioth.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Sun, 07 May 2017 22:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <stevenc@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sbuild: please sign buildinfo files
Date: Sun, 07 May 2017 23:20:14 +0100
[Message part 1 (text/plain, inline)]
Package: sbuild
Version: 0.73.0-4
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: infrastructure

Hello,

dpkg-buildpackage typically generates a .changes and .buildinfo file,
and signs both (since at least dpkg 1.18.19).

But when using sbuild, dpkg-buildpackage inside of the build chroot does
not do the signing, but rather sbuild signs the .changes file afterward.

Please could that code be updated to also sign the .buildinfo (if one
was created).

I have not tested the attached patch (yet?) but it explains the issue at
least.  Here is typical output where only the .changes file gets signed:

> ────────────────────────────────────────────────────────────────────────────────
> Finished at 20170314-2338
> Build needed 00:00:43, 5660k disc space
> Signature with key 'F2F4A5FC' requested:
>  signfile /home/buildd/build/hello_2.10-1+b1_amd64.changes F2F4A5FC
> 
> Successfully signed changes file

The relevance/importance of this is that official Debian package builds
produce .buildinfo files now, and dak archives them, but they are not
being signed yet.

Thanks!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

[sbuild.diff (text/x-diff, attachment)]

Reply sent to Ximin Luo <infinity0@debian.org>:
You have taken responsibility. (Tue, 03 Oct 2017 13:27:06 GMT) (full text, mbox, link).

Notification sent to Steven Chamberlain <stevenc@debian.org>:
Bug acknowledged by developer. (Tue, 03 Oct 2017 13:27:07 GMT) (full text, mbox, link).

Message #10 received at 862059-done@bugs.debian.org (full text, mbox, reply):

From: Ximin Luo <infinity0@debian.org>
To: 862059-done@bugs.debian.org
Subject: Re: sbuild: please sign buildinfo files
Date: Tue, 03 Oct 2017 13:25:00 +0000
Control: notfound -1 0.73.0-4

As far as I can tell, this is now being done by the buildds, e.g.:

https://buildd.debian.org/status/fetch.php?pkg=ocaml&arch=s390x&ver=4.05.0-9&stamp=1505496209&raw=0
[..]
Signature with key '602C42E7' requested:
 signfile buildinfo /home/buildd/build/ocaml_4.05.0-9_s390x.buildinfo 602C42E7

 fixup_changes buildinfo /home/buildd/build/ocaml_4.05.0-9_s390x.buildinfo /home/buildd/build/ocaml_4.05.0-9_s390x.changes
 signfile changes /home/buildd/build/ocaml_4.05.0-9_s390x.changes 602C42E7

Successfully signed buildinfo, changes files

Possibly all that was required, was to use a newer version of debsign from devscripts that does this by default. So, closing this bug and marking as "not a bug".

X

On Sun, 07 May 2017 23:20:14 +0100 Steven Chamberlain <stevenc@debian.org> wrote:
> Package: sbuild
> Version: 0.73.0-4
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: infrastructure
> 
> Hello,
> 
> dpkg-buildpackage typically generates a .changes and .buildinfo file,
> and signs both (since at least dpkg 1.18.19).
> 
> But when using sbuild, dpkg-buildpackage inside of the build chroot does
> not do the signing, but rather sbuild signs the .changes file afterward.
> 
> Please could that code be updated to also sign the .buildinfo (if one
> was created).
> 
> I have not tested the attached patch (yet?) but it explains the issue at
> least.  Here is typical output where only the .changes file gets signed:
> 
> > ────────────────────────────────────────────────────────────────────────────────
> > Finished at 20170314-2338
> > Build needed 00:00:43, 5660k disc space
> > Signature with key 'F2F4A5FC' requested:
> >  signfile /home/buildd/build/hello_2.10-1+b1_amd64.changes F2F4A5FC
> > 
> > Successfully signed changes file
> 
> The relevance/importance of this is that official Debian package builds
> produce .buildinfo files now, and dak archives them, but they are not
> being signed yet.
> 
> Thanks!
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: kfreebsd-amd64 (x86_64)
> 
> Kernel: kFreeBSD 10.1-0-amd64
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

Information forwarded to debian-bugs-dist@lists.debian.org, Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>:
Bug#862059; Package sbuild. (Wed, 04 Oct 2017 16:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org>. (Wed, 04 Oct 2017 16:03:03 GMT) (full text, mbox, link).

Message #15 received at 862059@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 862059@bugs.debian.org
Cc: infinity0@debian.org
Subject: Re: Bug#862059 closed by Ximin Luo <infinity0@debian.org> (Re: sbuild: please sign buildinfo files)
Date: Wed, 4 Oct 2017 16:33:39 +0100
[Message part 1 (text/plain, inline)]
Hi Ximin,

Thanks for figuring this out.  Indeed the recent buildinfos are being
signed but I didn't yet figure out how/why.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 02 Nov 2017 07:27:36 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 13:59:47 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.