File: changelog

package info (click to toggle)
debsig-verify 0.33
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 896 kB
sloc: sh: 6,428; ansic: 1,219; makefile: 102
file content (493 lines) | stat: -rw-r--r-- 20,002 bytes
debsig-verify (0.33) unstable; urgency=medium

  * Build system:
    - Terminate lists in variables with «# EOL».
  * Packaging:
    - Switch to Standards-Version 4.7.2 (no changes needed).
  * Test suite:
    - Fix «sq sign» invocation with CLI version 1.0.

 -- Guillem Jover <guillem@debian.org>  Sat, 15 Mar 2025 02:57:03 +0100

debsig-verify (0.32) unstable; urgency=medium

  * Fix OpenPGP implementation array traversal.
  * Documentation:
    - Update TODO.
  * Packaging:
    - Switch to Standards-Version 4.7.1 (no changes needed).
    - Add <!nocheck> Build-Depends on gpg | gpg-from-sq to run debsig-verify.
  * Test suite:
    - Pass --root-owner-group to dpkg-deb.

 -- Guillem Jover <guillem@debian.org>  Sat, 22 Feb 2025 14:24:41 +0100

debsig-verify (0.31) unstable; urgency=medium

  * Code internals:
    - Use DS_LEV_INFO instead of a hardcoded value.
    - Swap order of ds_debug_level in boolean comparisons.
    - Change ds_printf() to return early on too low debug level.
  * Packaging:
    - Drop gnupg and gnupg-agent as alternatives to gpg and gpg-agent.
  * Test suite:
    - Generalize SOP support to include rsop, gosop and pgpainless-cli.
    - Adapt to new sq CLI 0.40.0 API.

 -- Guillem Jover <guillem@debian.org>  Sun, 22 Dec 2024 01:04:22 +0100

debsig-verify (0.30) unstable; urgency=medium

  * Add OpenPGP subkey support.
    Based on a patch by Steve McIntyre <steve@einval.com>. Closes: #1059150
  * Switch from pkg-config to pkgconf.
  * Documentation:
    - doc: Bump required C compiler to support C99.
  * Packaging:
    - Update copyright years.
  * Test suite:
    - Add new macro to set the OpenPGP key to use.
    - Switch to use sq --signer-file.

 -- Guillem Jover <guillem@debian.org>  Mon, 08 Apr 2024 04:53:04 +0200

debsig-verify (0.29) unstable; urgency=medium

  * Code internals:
    - openpgp-gpg: Free fpr if there is no match in gpg_getKeyID().
    - openpgp-gpg: Do not duplicate the returned value in gpg_getSigKeyID().
    - Rename find_command() to command_in_path() to match libdpkg.
    - Rename misc.c to debug.c.
  * Build system:
    - Use command_in_path() from libdpkg.

 -- Guillem Jover <guillem@debian.org>  Sat, 09 Sep 2023 21:21:04 +0200

debsig-verify (0.28) unstable; urgency=medium

  * Add support for zstd compressed .deb archives.
  * Packaging:
    - Update copyright years.
    - Switch to Standards-Version 4.6.2 (no changes needed).
    - Do not trim debian/changelog.

 -- Guillem Jover <guillem@debian.org>  Tue, 10 Jan 2023 23:38:18 +0100

debsig-verify (0.27) unstable; urgency=medium

  * Build system:
    - Request pkg-config static linking flags for libdpkg.
  * Packaging:
    - Switch to Standards-Version 4.6.1 (no changes needed).
    - Update lintian overrides for new syntax.

 -- Guillem Jover <guillem@debian.org>  Sat, 15 Oct 2022 11:16:46 +0200

debsig-verify (0.26) unstable; urgency=medium

  * Print the unknown option on error.
  * Fix mismatched number of arguments error.
  * openpgp-gpg: Always pass the gpg command in argv[0].
  * openpgp-gpg: Skip field separator character when parsing --with-colons
    output.
  * openpgp: Do not consider a match if one of the fingerprints has zero
    length.
  * openpgp-gpg: When matching on getKeyID match on fingerprint.
  * openpgp-gpg: Do not fallback to the match ID on fingerprint/keyID not
    found.
  * openpgp-gpg: Fix last field parsing.
  * openpgp-gpg: Switch from internal gpg --list-packets to --verify
    --status-fd. See #1001331.
  * openpgp-gpg: Unset GPG_TTY.
  * Check whether the origin ID is in the keyring if no match ID is specified.
  * openpgp: Print the pathname for the keyring used in debug mode.
  * Documentation:
    - Update TODO.
    - Refer to the main git repository as primary.
    - Use https:// for release download URLs.
    - Switch release URL from ftp.debian.org to deb.debian.org.
  * Code internals:
    - Avoid using an intermediate buffer in ds_printf().
    - Switch from fgets() to getline().
    - openpgp-gpg: Refactor get_field() out from get_colon_field().
    - Refactor keyring generation.
    - Pass a string instead of a struct match to getKeyID().
    - Rename getSigKeyID() argument from type to name.
    - Turn struct match «type» member from an int to an enum.
    - openpgp-gpg: Fix cleanup_gpg_tmpdir() subprocess description.
  * Test suite:
    - Add new test keys with non-weak algorithms.

 -- Guillem Jover <guillem@debian.org>  Tue, 04 Oct 2022 04:01:26 +0200

debsig-verify (0.25) unstable; urgency=medium

  * Update copyright years.
  * Test suite:
    - Fix function name in trap.

 -- Guillem Jover <guillem@debian.org>  Wed, 17 Nov 2021 02:35:53 +0100

debsig-verify (0.24) unstable; urgency=medium

  * Switch keyring parser from gpg --list-packets to --show-keys --with-colons.
  * Use fingerprint and fallback to use long keyIDs for database filenames.
  * Reject weak RIPEMD160 and SHA1 algorithms.
  * Documentation:
    - Update .gpg keyring references to .pgp in man page.
    - Mention OpenPGP instead of gpg in generic code comments.
    - Clarify the requirement for OpenPGP keyrings.
      Prompted by Steve McIntyre <steve@einval.com>.
      See #988646.
    - Update and modernize the policy-syntax specification.
  * Code internals:
    - Move GnuPG specific macros to the GnuPG backend module.
    - Rename gpgVerify() to sigVerify().
    - Add a new find_command() function.
    - Abstract the OpenPGP operations behind a frontend driver.
    - Move checkSigExist() from misc to openpgp module.
    - Rename XML parser file to policy-xml.
    - Refactor key ID comparison function.
    - Support comparing keyIDs and fingerprints.
    - Refactor database filename generation into a new function.
    - Refactor prefix matching into a new function.
    - Regroup header includes.
  * Build system:
    - Add GitLab CI support.
    - Update .gitignore file.
  * Packaging:
    - Fix typo for Standards-Version field.
    - Switch to Standards-Version 4.6.0 (no changes needed).
    - Do not include the keyid in the example policies pathname.
  * Test suite:
    - Rename .gpg keyrings to .pgp.
    - Abstract OpenPGP details into debsig_openpgp_* functions.
    - Check OpenPGP backend availability.
    - Add sqop and sq OpenPGP backend support.
    - Remove obsolete and non-compliant test data.
      Reported by Charles Duffy <charles@dyfis.net>.
    - Shorten test case titles.
    - Move bad sig case after no sig case.

 -- Guillem Jover <guillem@debian.org>  Tue, 16 Nov 2021 06:02:07 +0100

debsig-verify (0.23) unstable; urgency=medium

  * Remove unused ‘c’ variable assignment in fgets() call.
  * Packaging:
    - Switch to Standards-Version 4.5.1 (no changes needed).
    - Switch to debhelper compatibility level 13.
    - Update copyright years.

 -- Guillem Jover <guillem@debian.org>  Thu, 24 Dec 2020 22:29:03 +0100

debsig-verify (0.22) unstable; urgency=medium

  * Fix use after free on debug output.
    Reported by Moritz Meintker <moritz@thinksilicon.de>.

 -- Guillem Jover <guillem@debian.org>  Wed, 11 Dec 2019 05:12:02 +0100

debsig-verify (0.21) unstable; urgency=medium

  * Packaging:
    - Do not use dh_auto_configure to configure the source in the
      autopkgtest, as it passes unknown options that emit warnings that
      make the test fail. See: #942813.

 -- Guillem Jover <guillem@debian.org>  Sat, 26 Oct 2019 20:38:50 +0200

debsig-verify (0.20) unstable; urgency=medium

  * Update copyright years.
  * Expand GPLv2 brief notice in debsig-verify man page into the standard
    GPL-2+ notice.
  * Print the temporary directory template in case mkdtemp() fails, instead
    of printing NULL.
  * Build system:
    - Add missing files to the distribution.
    - Generate the .dist-version when creating a dist tarball.
  * Packaging:
    - Bump Standards-Version to 4.4.1 (no changes needed).
    - Switch from debian/compat to debhelper-compat in Build-Depends.
    - Switch to debhelper compatibility level 12.
    - Switch to dh.

 -- Guillem Jover <guillem@debian.org>  Sat, 19 Oct 2019 04:23:44 +0200

debsig-verify (0.19) unstable; urgency=medium

  * Update Vcs information to point to new hosting.
  * Allocate pathname buffers dynamically to avoid possible silent truncation.
  * Build system:
    - Detect compiler flags availability at build-time.
  * Packaging:
    - Namespace debhelper files with package names.
    - Bump Standards-Version to 4.1.5 (no changes needed).
    - Move debhelper command arguments into fragment files.
    - Install all test policies into keyid example directories.

 -- Guillem Jover <guillem@debian.org>  Thu, 05 Jul 2018 12:50:11 +0200

debsig-verify (0.18) unstable; urgency=medium

  * Pass --no-auto-check-trustdb to the gpg invocations.
  * Add gpg as a alternative dependencies to gnupg, and gpg-agent or
    gnupg-agent as new Build-Depends, now that the package has been split
    in a more fine-grained way.
  * Use UTC0 instead of UTC when setting TZ.
  * Bump Standards-Version to 4.1.1 (no changes needed).
  * Add autopkgtest using the upstream test suite.
  * Set Rules-Requires-Root to no.
  * Set distribution tarball format to ustar.

 -- Guillem Jover <guillem@debian.org>  Sun, 05 Nov 2017 23:46:13 +0100

debsig-verify (0.17) unstable; urgency=medium

  * Spelling fixes. Thanks to Josh Soref <jsoref@gmail.com>.
  * Switch from libxmltok (expat 1.x) to libexpat (expat 2.x). The latter
    package is slightly bigger, but that is offset by being used by many
    more package, and more importantly being maintained upstream.
  * Bump Standards-Version to 4.0.1 (no changes needed).
  * Switch to debhelper compatibility level 10.

 -- Guillem Jover <guillem@debian.org>  Sun, 13 Aug 2017 00:25:11 +0200

debsig-verify (0.16) unstable; urgency=medium

  * Wrap dependency fields in debian/control.
  * Add debsigs to Suggests.
  * Mark gnupg Build-Depends as <!nocheck>.
  * Adapt for libdpkg 1.18.11 ar API changes.
  * Enable more compilation warnings from configure.
  * Switch to a single git repository URL in README for browsing and cloning
    to fix previously broken cloning URL.

 -- Guillem Jover <guillem@debian.org>  Tue, 24 Jan 2017 02:10:20 +0100

debsig-verify (0.15) unstable; urgency=medium

  * Fix typo in error message, reported by lintian.
  * Fix typo in man page, reported by lintian.
  * Bump Standards-Version to 3.9.8 (no changes needed).
  * Use https for debsig policy DTD.
  * Fix coding style.
  * Switch to the dpkg makefile fragments in debian/rules.
  * Enable all hardening flags.
  * Switch to use the new libdpkg 1.18.8 ar API.
  * Fix parsing of GnuPG 2.x --list-packets output.
  * Move debian/copyright paragraph referencing GPL-2 file to a Comment field.
  * Make configure.ac a dependency of the configure target in debian/rules.
  * Fix test suite with GnuPG 2.x.

 -- Guillem Jover <guillem@debian.org>  Thu, 14 Jul 2016 00:45:33 +0200

debsig-verify (0.14) unstable; urgency=low

  * Assume at least C89 and POSIX.1-2001.
  * Fix man page formatting.
  * Add references to debsigs(1) and gpg(1) to the man page.
  * Add missing man page .TH fields.
  * Use https instead of git or http in URLs.
  * Add new test case covering key to name id mapping.
  * Switch to use more of libdpkg instead of ad-hoc code:
    - Use path_make_temp_template().
    - Switch from popen() to subproc_fork() and execlp(), to avoid shell
      invocation and unsafe argument passing.
    - Use the command module to invoke GnuPG instead of execlp().
  * Do not use an absolute pathname to the GnuPG program.
  * Make the GnuPG program configurable through the DEBSIG_GNUPG_PROGRAM
    environment variable.
  * Fix handling of a possibly non-terminated origin ID string.
  * Fix a file TOCTOU issue in the XML parser.
  * Set umask() for mkstemp() calls.
  * Do not free() nor unlink() an uninitialized string.
  * Fix printing debug message on unmatched key IDs in getKeyID().
  * Update copyright years.

 -- Guillem Jover <guillem@debian.org>  Sat, 13 Feb 2016 11:32:58 +0100

debsig-verify (0.13) unstable; urgency=medium

  * Disable all current GnuPG warnings, as these do not concern us, because
    we only use gpg for verification purposes, so we should not be handling
    sensitive material anyway. This fixes failures in the testsuite on
    GNU/Hurd due to unexpected output in stderr.

 -- Guillem Jover <guillem@debian.org>  Tue, 28 Oct 2014 18:03:29 +0100

debsig-verify (0.12) unstable; urgency=medium

  * Merge the testsuite execution into the debian/rules build-arch target,
    and use a build stamp file so that we do not invoke it from a binary
    target. The latter is going to be run as root possibly via fakeroot,
    and as GnuPG is set-uid-root on non-Linux systems, it fails there.
  * Mark targets as .PHONY in debian/rules.
  * Explicitly Build-Depend on gnupg for the testsuite.

 -- Guillem Jover <guillem@debian.org>  Tue, 28 Oct 2014 06:24:28 +0100

debsig-verify (0.11) unstable; urgency=medium

  * Update Vcs-Browser git URL to the new cgit scheme.
  * Add a README file.
  * Autoconfiscate build system.
  * Add more warning flags to the default compiler flags.
  * Do not use continuation lines in string literals.
  * Reformat and reflow --help output.
  * Add a --root option to use an alternative root directory.
    Thanks to Michael Vogt <mvo@ubuntu.com>. Closes: #758525
  * Add new --policies-dir and --keyrings-dir options.
  * Add new --help option.
  * Do not print --version and --help on stderr and make them exit 0. And
    replace usage error output with a new function that gives a hint to the
    user to use --help instead.
  * Add long options for quiet, verbose and debug.
  * Use DS_LEV_ERR instead of DS_FAIL_INTERNAL as ds_printf() level argument.
  * Use more of libdpkg instead of ad-hoc code, to reduce code duplication,
    switch to more tested code, and so that the error return codes are
    checked and acted upon. Closes: #758615
    - Switch to use subproc module instead of fork() and waitpid().
    - Switch from xmalloc to m_malloc().
    - Use ohshit()/ohshite() instead of ds_fail_printf(DS_FAIL_INTERNAL, ...).
    - Use m_dup2() instead of raw dup2().
    - Use fdio API instead of ad-hoc file copying.
    - Use str_match_end() instead of ad-hoc code, which also fixes a warning
      due to a signed vs unsigned comparison.
  * Remove useless return statements.
  * Use a temporary GNUPGHOME instead of using the users's default.
    Based on a patch by Michael Vogt <mvo@ubuntu.com>. Closes: #758826
  * Error out if the GnuPG pipe failed on close.
  * Explicitly check strcmp() return value instead of handling it as a bool.
  * Switch originID from global to function scoped variable.
    Thanks to Michael Vogt <mvo@ubuntu.com>.
  * Switch deb and deb_fd from global to a function scoped struct.
  * Change len type to size_t to fix a signed vs unsigned comparison warning.
  * Make private functions static.
  * Make private constant string variables static const.
  * Add new autotest functional testsuite.
  * Add test cases for signature checks.
    Based on a patch by Michael Vogt <mvo@ubuntu.com>.
  * Update copyright holders and years.
  * Bump Standards-Version to 3.9.6 (no changed needed).

 -- Guillem Jover <guillem@debian.org>  Tue, 28 Oct 2014 04:01:53 +0100

debsig-verify (0.10) unstable; urgency=low

  * Add exit status codes to the man page.
    Thanks to Ben Collins <bcollins@debian.org>.
  * Enable LFS by passing the correct build flags to the build.
  * Extend the package long description.
  * Add a lintian override for package-contains-empty-directory on
    /usr/share/debsig/keyrings/.

 -- Guillem Jover <guillem@debian.org>  Tue, 29 Jul 2014 12:21:49 +0200

debsig-verify (0.9) unstable; urgency=low

  * New maintainer. Closes: #540897
  * Use '' style quoting instead of unpaired `'.
  * Use italics for pathnames and user replacable strings.
  * Add missing space before Build-Depends version.
  * Bump Standards-Version to 3.9.5 (no changed needed).
  * Stop making build-indep depend on build-stamp in debian/rules.
  * Stop using a build-stamp in debian/rules.
  * Add dh_installman and dh_link commands.
  * Mark debsig-verify as Enhances dpkg.
  * Sync Priority with archive override (from standard to optional).
  * Use $(CURDIR) instead of $(shell pwd) in debian/rules.
  * Honour user CPPFLAGS, CFLAGS and LDFLAGS.
  * Set build flags via dpkg-buildflags.
  * Switch debian/copyright to machine-readable format 1.0.
  * Add support for control.tar, control.tar.xz, data.tar, data.tar.xz,
    data.tar.bz2 and data.tar.lzma deb members. Closes: #745563
    Based on a patch by Vivek Das Mohapatra <vivek@etla.org>.
  * Do not unnecessarily link against libxmltok, only libxmlparse.
  * Start using libdpkg instead of duplicating code:
    - Add pkg-config and libdpkg-dev to Build-Depends.
    - Add a Built-Using field for libdpkg-dev static linking.
    - Use libdpkg error handling code.
    - Use libdpkg ar handling. This enables ar large file support (LFS).
  * Check return values from functions marked with warn_unused_result.
  * Fix typos (aswell → as well). Closes: #748539
    Thanks to Tomas Pospisek <tpo_deb@sourcepole.ch>.
  * Add Vcs-Browser and Vcs-Git fields.
  * Switch to source format “3.0 (native)”.
  * Create the debian-keyring.gpg testing symlink in a new check target,
    instead of shipping it in the git repository or the release tarballs.
  * Decapitalize package short description.

 -- Guillem Jover <guillem@debian.org>  Fri, 06 Jun 2014 13:41:13 +0200

debsig-verify (0.8) unstable; urgency=low

  * QA upload.
  * Maintainer field set to QA Group.
  * Standards-Version bumped to 3.9.3.
  * Add dependency on ${misc:Depends}.
  * Debhelper compatibility level set to 9. Build dependency on debhelper
    updated accordingly.
  * build-{arch,indep} targets added to debian/rules.
  * Deprecated dh_clean -k replaced with dh_prep.

 -- Emanuele Rocca <ema@debian.org>  Sun, 20 May 2012 09:25:43 +0000

debsig-verify (0.7) unstable; urgency=low

  * Upload to main proper

 -- Ben Collins <bcollins@debian.org>  Tue, 15 Apr 2003 13:37:34 -0400

debsig-verify (0.6) unstable; urgency=low

  * Redesigned ds_fail_printf
  * Initialize gpg before using it

 -- Ben Collins <bcollins@debian.org>  Fri, 27 Apr 2001 13:55:52 -0400

debsig-verify (0.5) unstable; urgency=low

  * Some formatting changes
  * add "debian-binary" to members that are part of the signed data
  * For the selection phase, do not actually check the signatures with
    gpg. Just make sure they exist, and match if the ID is specified
  * If -d is specified, allow gpg output to stdout/stderr

 -- Ben Collins <bcollins@debian.org>  Sat, 14 Apr 2001 00:41:03 -0400

debsig-verify (0.4) unstable; urgency=low

  * Fix execl in gpgVerify()
  * Make sure files end in .pol
  * Add some more debug output

 -- Ben Collins <bcollins@debian.org>  Thu,  8 Mar 2001 10:50:01 -0500

debsig-verify (0.3) unstable; urgency=low

  * debian/control: Suggests debian-keyring, Section non-US/main

 -- Ben Collins <bcollins@debian.org>  Sun, 21 Jan 2001 13:48:08 -0500

debsig-verify (0.2) unstable; urgency=low

  * Added --list-policies, to get a list of applicable policies for a .deb
    (do not verify the contents). Also added a --use-policy so the user
    can specify one of the shortnames in the list from the list option.
  * Added manpage for debsig-verify
  * Added some code to free up alloc'd memory used by parsePolicy()
  * Lots of code cleanups
  * Added a -d option for debug output
  * Change to use "gpg --verify <sig> <file>" instead of stdin. The newest
    gpg changed this behavior to fix a security issue.
  * Use obstack to alloc policy data in xml-parts.c

 -- Ben Collins <bcollins@debian.org>  Tue, 12 Dec 2000 17:41:53 -0500

debsig-verify (0.1) unstable; urgency=low

  * Original setup

 -- Ben Collins <bcollins@debian.org>  Mon,  4 Dec 2000 20:21:32 -0500