0003275: Sign tarball releases with OpenPGP keys

Notes
(0018406) WubTheCaptain (reporter) 2017-09-27 22:55 edited on: 2017-09-27 23:03	From a Debian maintainer's perspective, OpenPGP signatures are optionally used for quality control and maintenance with the uscan utility. Emphasis that this is completely optional to both the software and Debian maintainer. (Debian Policy Manual v4.1.0.0, section 4.11.)

(0019474) WubTheCaptain (reporter) 2018-09-01 12:16	Can this be a target for 1.2? I'd like to know if 0003483 should be related to this ticket.

(0019699) Blzut3 (administrator) 2018-09-24 02:05	Captured generation of signatures in'https://bitbucket.org/Doomseeker/doomseeker/commits/9c0b8812f164a752f2cbbff7c6c68394c704355d [^]'

(0020014) WubTheCaptain (reporter) 2018-10-08 11:18	I'm not sure how one is supposed to test this.

(0020032) Blzut3 (administrator) 2018-10-08 20:58	Pretty much why I only tagged it as needs review. If the script spits out signature files in the format you expect (obviously with your key instead of mine) then that's enough to say this ticket is resolved.

(0020041) WubTheCaptain (reporter) 2018-10-08 21:54	I mean, the script itself doesn't provide any description of usage. I also can't read bash well, my expertise goes to POSIX sh scripts. What the heck is "Arg:7" and where/what are the args 3–6?

(0020043) WubTheCaptain (reporter) 2018-10-08 22:36	It took me a lot of guesswork from reading the lines the usage is `./makesourcepackages.sh --sign=$fingerprint`, where $fingerprint is one of GnuPG key fingerprints. This is counter-intuitive in many ways (contradicting POSIX?). Because I can't read the script with immediate clarity anyway, it'd not pass my code review but I'd kindly request a rewrite. I'm not going to do that myself, not yet at least. I still have no idea how the script works. But it does.

(0020044) WubTheCaptain (reporter) 2018-10-08 22:41 edited on: 2018-10-09 10:20	Quote from WubTheCaptain I still have no idea how the script works. But it does. Badly, if I may add. Doing the slow process of getting stuff ready before attempting signing, only to possibly error and bail out late that the key was incorrect (e.g., expired). Frustrated me at least.

(0020045) Blzut3 (administrator) 2018-10-08 23:28	I have no idea how you can't follow that script. I don't use gpg much so honestly I don't know anything about selecting keys besides that it's done with -u. But I only have one key so I just use `--sign` and be done with it. I wanted to have it show the key it was going to use, but I couldn't figure out how to have gpg just give the fingerprint of the default key. (I can easily find how to list all keys and how to set the default, but how to see the default I gave up on.) "${Arg:7}" is a substring. See bash man page. Anyways the first thing it does (line 117) is extract the versions from the CMake files. This is done by running CMake in script mode including the version definitions and having it print out the result. Nothing fancy here just using the correct tool to parse the file. Unfortunately CMake always writes to stderr so that's a little ugly. Once it has those it strips the beta tag off it using bash suffix removal of ~ and everything following. Next we use Mercurial to create a directory with the committed code ready for archiving. This prevents working copy changes from polluting the release. Heading into the create_vcs_info call: A build directory is setup and the revesion_check target is built and run in order to generate the gitinfo.h. This works since update revision modifies the source tree which previously caused builds to be non-reproducible. But since we build it here it's baked into the source tarball and not touched when the end user builds the release. We are now done with the magic and head into the most straight forward code ever: Creating two tar balls. I use tar piped into xz since I'm too lazy to figure out how to have tar do it with maximum compression. Plus it's more portable like that I guess. Lastly, if the --sign option was given sign_archive will generate gpg signatures. If this fails then it's the same as if you called no-sign except that you'll get an error in the return code. So which part of this was hard to read? "I don't understand the language you wrote it in" is not a valid reason to rewrite.

(0020049) WubTheCaptain (reporter) 2018-10-09 10:24 edited on: 2018-10-09 10:25	It is all so unconventional and non-portable, that is all.

This issue is already marked as resolved. If you feel that is not the case, please reopen it and explain why.
Supporters:	No one explicitly supports this issue yet.
Opponents:	No one explicitly opposes this issue yet.

Issue History
Date Modified	Username	Field	Change
2017-09-25 16:42	WubTheCaptain	New Issue
2017-09-25 17:37	Zalewa	Relationship added	child of 0003246
2017-09-27 22:32	WubTheCaptain	Relationship added	child of 0003279
2017-09-27 22:32	WubTheCaptain	Relationship deleted	child of 0003246
2017-09-27 22:55	WubTheCaptain	Note Added: 0018406
2017-09-27 22:56	WubTheCaptain	Note Edited: 0018406	View Revisions
2017-09-27 22:56	WubTheCaptain	Note Edited: 0018406	View Revisions
2017-09-27 23:03	WubTheCaptain	Note Edited: 0018406	View Revisions
2018-09-01 12:16	WubTheCaptain	Note Added: 0019474
2018-09-24 01:14	Blzut3	Target Version	=> 1.2
2018-09-24 01:15	Blzut3	Assigned To	=> Blzut3
2018-09-24 01:15	Blzut3	Status	new => assigned
2018-09-24 01:15	Blzut3	Relationship added	related to 0003483
2018-09-24 02:05	Blzut3	Note Added: 0019699
2018-09-24 02:05	Blzut3	Status	assigned => needs review
2018-10-01 03:34	WubTheCaptain	Status	needs review => needs testing
2018-10-01 04:05	WubTheCaptain	Relationship replaced	child of 0003483
2018-10-06 09:02	WubTheCaptain	Priority	high => normal
2018-10-08 11:18	WubTheCaptain	Note Added: 0020014
2018-10-08 20:58	Blzut3	Note Added: 0020032
2018-10-08 21:54	WubTheCaptain	Note Added: 0020041
2018-10-08 22:36	WubTheCaptain	Note Added: 0020043
2018-10-08 22:41	WubTheCaptain	Note Added: 0020044
2018-10-08 23:28	Blzut3	Note Added: 0020045
2018-10-09 10:20	WubTheCaptain	Note Edited: 0020044	View Revisions
2018-10-09 10:24	WubTheCaptain	Note Added: 0020049
2018-10-09 10:24	WubTheCaptain	Status	needs testing => resolved
2018-10-09 10:24	WubTheCaptain	Fixed in Version	=> 1.2
2018-10-09 10:24	WubTheCaptain	Resolution	open => fixed
2018-10-09 10:25	WubTheCaptain	Note Edited: 0020049	View Revisions
2018-10-27 22:53	WubTheCaptain	Status	resolved => closed