.changes file cannot be updated with new checksums after signing .dsc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dpkg-sig (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
When signing a .dsc file and updating the respective .changes file, dpkg-sig replaces all sha1, sha256 checksums with md5 checksums. (This means that it is not possible anymore to upload associated .deb packages as, e.g., mini-dinstall cannot parse the resulting .changes file).
The above affects *all* versions of Debian, Ubuntu--but it only manifests if the .changes file contains a reference to the associated .dsc file (this is, e.g., the case when using pbuilder).
From looking at the source code, apart from replacing sha1 checksums with md5 counterparts, dpkg-sig is lacking sha256 checksum support in the first place.
% #The above has been verified on xenial, bionic systems; only including fossa related data here:
% lsb_release -rd
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
% apt-cache policy dpkg-sig
dpkg-sig:
Installed: 0.13.1+nmu4
Candidate: 0.13.1+nmu4
Version table:
*** 0.13.1+nmu4 500
500 http://
100 /var/lib/
% apt-cache policy pbuilder
pbuilder:
Installed: 0.230.4
Candidate: 0.230.4
Version table:
*** 0.230.4 500
500 http://
100 /var/lib/
* Expected behaviour: md5, sha1, sha256 checksums of .dsc file updated in .changes file after
signing.
* Actual result: all .dsc related entries in .changes file now contain the same md5 checksum.