Sanity check doesn't check sig, sign and asc files (Bug #342)


Added by Ladislav Hagara over 2 years ago. Updated over 1 year ago.


Status:Closed Start date:01/20/2012
Priority:Normal Due date:
Assignee:- % Done:

0%

Category:-
Target version:-

Description

Problem with iproute2 (not only), source tarball and signature file are missing from SOURCE_URL, server just provide html file. Tarball is tested, it is html so the file from fall-back mirror is downloaded. Sign file is not tested so html file is saved in cache dir and sign from our fall-back mirror is not downloaded.

With these lines in libsummon works like a charm:

[[ "$1" != "${1%.sig}" ]] ||
[[ "$1" != "${1%.sign}" ]] ||
[[ "$1" != "${1%.asc}" ]] ||

Sanity check of iproute2-2.6.39.tar.gz failed:
text/html; charset=utf-8
Attempting to get file from fall-back mirrors
...
Sanity check of iproute2-2.6.39.tar.gz.sign failed:
text/html; charset=utf-8
Attempting to get file from fall-back mirrors
...


History

Updated by Jaka Kranjc almost 2 years ago

looks safe, here the files are either recognized as signatures or as binaries, but never as text.

Updated by Jaka Kranjc almost 2 years ago

fixed in devel

  • Status changed from New to Resolved

Updated by Ladislav Hagara almost 2 years ago

I tried again (sorcery 20120430), returned iproute2 to 2.6.39 and summon -d it.

Sign file is saved even it is html:

Downloading source file iproute2-2.6.39.tar.gz.sign
--2012-05-02 08:31:31-- http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.39.tar.gz.sign
...
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `iproute2-2.6.39.tar.gz.sign'

[   <=>                                                                                                   ] 57,778       136K/s   in 0.4s

2012-05-02 08:31:32 (136 KB/s) - `iproute2-2.6.39.tar.gz.sign' saved [57778]

So gpg checking doesn't work.

Found source file /var/spool/sorcery/iproute2-2.6.39.tar.gz for spell iproute2 in /var/spool/sorcery
Found source file /var/spool/sorcery/iproute2-2.6.39.tar.gz.sign for spell iproute2 in /var/spool/sorcery
Waiting for any Solo casts to complete...
Waiting for any other casts of iproute2 to complete... done.
Preparing iproute2
GPG checking source file iproute2-2.6.39.tar.gz...
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
Failure to verify gpg signature
Abort? [y]

Spells that encountered problems:
---------------------------------
iproute2 (pre_build)

With my patch sorcery does't save it and download it from backup mirrors.

Updated by Jaka Kranjc over 1 year ago

the conceived non-fixedness of this issue was due to a tarball generation problem a few months back. The same fix was used as reported.

  • Status changed from Resolved to Closed

Also available in: Atom PDF