#833012 uscan: don't look for OpenPGP signatures by appending .asc to a query string

Package:
devscripts
Source:
devscripts
Description:
scripts to make the life of a Debian Package maintainer easier
Submitter:
Sean Whitton
Date:
2025-07-21 14:09:02 UTC
Severity:
normal
Tags:
#833012#5
Date:
2016-07-30 21:01:51 UTC
From:
To:
Dear maintainers,

uscan tries appending .asc to the tarball download URI.  If that returns
HTTP 200, it will say something like this:

However, as can be seen from this example, uscan has appended .asc to
the query string i.e. the part of the URI after the final '?'
character.  It is highly unlikely that this will ever be a real
signature file.

uscan should, in this kind of case, try the following URI:

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history

i.e. append the .asc to the part of the URI before the query string.

Thanks!
--- /etc/devscripts.conf ---
--- ~/.devscripts --- DEBCHANGE_FORCE_SAVE_ON_RELEASE=no DEBRELEASE_UPLOADER=dput DEBSIGN_KEYID=0x0F56D0553B6D411B DEB_SIGN_KEYID=0x0F56D0553B6D411B DEBSIGN_PROGRAM=gpg RMADISON_DEFAULT_URL=debian,ubuntu DSCVERIFY_KEYRINGS=~/.gnupg/pubring.gpg DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc"
#833012#10
Date:
2016-07-31 16:05:03 UTC
From:
To:
Hi,

Yes.

In this case, huristics does not work.


The upstream tarball filename is normally found by taking the last
component of the URL and removing everything after any '?' or '#'.

Problem is that some query strings contain upstream archive name after ?

Use of pgpsigurlmangle is one way to avoid this problem.  But let me
think if there is a bit more reasonable huristics with least
complication.

Osamu

Yah...

Osamu

#833012#15
Date:
2017-08-29 14:30:23 UTC
From:
To:
Hi,

I made a quick fix to address this bug as attached against git head:
 a830277fec6cea2b4c6cba86ca3a45ceea309b06

This should not only works for default but also work for auto.

Sean Whitton, what do you think of this?

I will test this later this week when I find some time.

Regards,

Osamu

PS: Writing perl code is headache for me.

#833012#20
Date:
2017-08-29 14:30:23 UTC
From:
To:
Hi,

I made a quick fix to address this bug as attached against git head:
 a830277fec6cea2b4c6cba86ca3a45ceea309b06

This should not only works for default but also work for auto.

Sean Whitton, what do you think of this?

I will test this later this week when I find some time.

Regards,

Osamu

PS: Writing perl code is headache for me.

#833012#25
Date:
2017-09-02 04:02:02 UTC
From:
To:
Hello Osamu,

Thank you for working on this bug!

In the case there is a query string you have:

And in the case with no query string, you use the old code:

Shouldn't there be a '$' in the first one, too?

#833012#30
Date:
2017-09-02 17:54:17 UTC
From:
To:
Er, I was too tired when I wrote this.

Patch LGTM, though of course needs testing.  Thanks again.

#833012#35
Date:
2017-09-03 12:51:44 UTC
From:
To:
control: tags -1 moreinfo
thanks

(FYI: https://bugs.debian.org/833012 )

I tested my updated script and fixed several loose ends.  I think
thought is right but I need an actual example which works with this new
pgpmode=auto with "?" in URL.  Your bug report isn't good enough for me
to proceed.

I made second guess what you were thinking and failed to find an
example.  If you can point me to an example debian/watch file which
needs your requested feature, let me know.

Here is the back ground:

Since you didn't provide watch file, I am guessing from #831829, that
this watch file is the one found in:
 $ git clone https://anonscm.debian.org/git/pkg-mozext/self-destructing-cookies.git

Its debian/watch has:

version=3
opts="repack, compression=xz" \
https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ \
.*/self_destructing_cookies-([0-9.]+).*[.]xpi.* \
debian


The https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ is not so simple.

The web page depends on the browser.  With firefox, "Add to Firefox"
button appears.  So I looked around.  This may be because this URL site
has contents such as:

  <p class="install-button">
                        <a class="button download "
  data-hash="sha256:340d7d9a73b9b11579f75fa75b508ded5b792728b42259cf1c7aead69bc0b7f9"
      href="https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history"
  >

So the watch file may be looking the match for:

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history

So far it makes sense.

When I checked, the recent release doesn't have "-signed" in the
"Version 0.4.12" while older release has "Version 0.4.7.1-signed".
Strange.  Are you sure this site still provides signature file?  If you
add ".asc" before "?" as

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history

This URL with wget downloads the same
self_destructing_cookies-0.4.10-an+fx.xpi file !!!  This can't be the
signature file.  (Too big too)

I realize the current uscan.pl code is not good for "pgpmode=auto" for
another reason since it forces the downloaded signature file extension
to be pgp.  So the current code needs to be fixed.  I already fixed this
problem with your wishlist case. I need to get a working example case
before committing my new change.

Let me know more.

Osamu

#833012#42
Date:
2017-09-03 12:51:44 UTC
From:
To:
control: tags -1 moreinfo
thanks

(FYI: https://bugs.debian.org/833012 )

I tested my updated script and fixed several loose ends.  I think
thought is right but I need an actual example which works with this new
pgpmode=auto with "?" in URL.  Your bug report isn't good enough for me
to proceed.

I made second guess what you were thinking and failed to find an
example.  If you can point me to an example debian/watch file which
needs your requested feature, let me know.

Here is the back ground:

Since you didn't provide watch file, I am guessing from #831829, that
this watch file is the one found in:
 $ git clone https://anonscm.debian.org/git/pkg-mozext/self-destructing-cookies.git

Its debian/watch has:

version=3
opts="repack, compression=xz" \
https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ \
.*/self_destructing_cookies-([0-9.]+).*[.]xpi.* \
debian


The https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ is not so simple.

The web page depends on the browser.  With firefox, "Add to Firefox"
button appears.  So I looked around.  This may be because this URL site
has contents such as:

  <p class="install-button">
                        <a class="button download "
  data-hash="sha256:340d7d9a73b9b11579f75fa75b508ded5b792728b42259cf1c7aead69bc0b7f9"
      href="https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history"
  >

So the watch file may be looking the match for:

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history

So far it makes sense.

When I checked, the recent release doesn't have "-signed" in the
"Version 0.4.12" while older release has "Version 0.4.7.1-signed".
Strange.  Are you sure this site still provides signature file?  If you
add ".asc" before "?" as

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history

This URL with wget downloads the same
self_destructing_cookies-0.4.10-an+fx.xpi file !!!  This can't be the
signature file.  (Too big too)

I realize the current uscan.pl code is not good for "pgpmode=auto" for
another reason since it forces the downloaded signature file extension
to be pgp.  So the current code needs to be fixed.  I already fixed this
problem with your wishlist case. I need to get a working example case
before committing my new change.

Let me know more.

Osamu

#833012#47
Date:
2017-09-03 12:51:44 UTC
From:
To:
control: tags -1 moreinfo
thanks

(FYI: https://bugs.debian.org/833012 )

I tested my updated script and fixed several loose ends.  I think
thought is right but I need an actual example which works with this new
pgpmode=auto with "?" in URL.  Your bug report isn't good enough for me
to proceed.

I made second guess what you were thinking and failed to find an
example.  If you can point me to an example debian/watch file which
needs your requested feature, let me know.

Here is the back ground:

Since you didn't provide watch file, I am guessing from #831829, that
this watch file is the one found in:
 $ git clone https://anonscm.debian.org/git/pkg-mozext/self-destructing-cookies.git

Its debian/watch has:

version=3
opts="repack, compression=xz" \
https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ \
.*/self_destructing_cookies-([0-9.]+).*[.]xpi.* \
debian


The https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ is not so simple.

The web page depends on the browser.  With firefox, "Add to Firefox"
button appears.  So I looked around.  This may be because this URL site
has contents such as:

  <p class="install-button">
                        <a class="button download "
  data-hash="sha256:340d7d9a73b9b11579f75fa75b508ded5b792728b42259cf1c7aead69bc0b7f9"
      href="https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history"
  >

So the watch file may be looking the match for:

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history

So far it makes sense.

When I checked, the recent release doesn't have "-signed" in the
"Version 0.4.12" while older release has "Version 0.4.7.1-signed".
Strange.  Are you sure this site still provides signature file?  If you
add ".asc" before "?" as

https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history

This URL with wget downloads the same
self_destructing_cookies-0.4.10-an+fx.xpi file !!!  This can't be the
signature file.  (Too big too)

I realize the current uscan.pl code is not good for "pgpmode=auto" for
another reason since it forces the downloaded signature file extension
to be pgp.  So the current code needs to be fixed.  I already fixed this
problem with your wishlist case. I need to get a working example case
before committing my new change.

Let me know more.

Osamu

#833012#52
Date:
2017-09-09 19:54:19 UTC
From:
To:
Hello Osamu,

The -signed has nothing to do with PGP.  Please ignore it.

Urgh.  This is a problem at Mozilla's end, I guess.  Unless uscan adds a
size heuristic I don't think we can work around it.

Unfortunately the only cases where I saw this bug were packages obtained
from addons.mozilla.org, so I don't have another test case for you.

#833012#57
Date:
2023-07-11 20:49:23 UTC
From:
To:
I think I ran into this bug today.

https://gitlab.gnome.org/cheywood/iotas and
https://gitlab.gnome.org/World/Shortwave only publish unsigned tarballs.
uscan thinks there is a .asc file present though:

```

...

uscan info: Not downloading, using existing file: iotas-0.1.16.tar.bz2
uscan info: Start checking for common possible upstream OpenPGP
signature files
uscan warn: Possible OpenPGP signature found at:
https://gitlab.gnome.org/cheywood/iotas/-/archive/0.1.16/iotas-0.1.16.tar.bz2.asc
  * Add opts=pgpsigurlmangle=s/$/.asc/ or opts=pgpmode=auto to debian/watch
  * Add debian/upstream/signing-key.asc.
  See uscan(1) for more details
uscan info: End checking for common possible upstream OpenPGP signature
files
uscan info: Missing OpenPGP signature.
uscan info: New orig.tar.* tarball version (oversionmangled): 0.1.16
...

```

The asc leads to a 404 (when being logged in to GNOME gitlab) and the
login page otherwise. These are the only two cases where I had this bug
(note that I do maintain a few other

packages hosted at GNOMES GL instance).


regards,

werdahias

#833012#62
Date:
2025-07-21 14:07:06 UTC
From:
To:
Hi,

did you try pgpmode=none or pgpmode=next ?