Hi folks,The attached log first chunk shows that new downloads especially GnuPG and GNU packages may be signed with keys not recognized by old gnupg/gpg.
After applying the attached patches, which add support for the newer gpg2 from gnupg2 if installed, the attached log second chunk shows the new keys verified by gpg2 added to lib/src_prep.cygpart ___gpg_verify().
Similar code has been added to lib/pkg_pkg.cygpart __pkg_srcpkg() for check and definition and __gpg_sign() for use in gpg signing of Cygwin patches and files.
-- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry
>>> Preparing gpgme-1.23.1-1.x86_64 *** Info: SOURCE 1 signature follows: gpg: Signature made 2023 Oct 27 Fri 06:41:07 MDT using ? key ID 26403ADA gpg: Can't check signature: unknown pubkey algorithm gpg: Signature made 2023 Nov 14 Tue 17:50:43 MST using ? key ID 19C6C8BD gpg: Can't check signature: unknown pubkey algorithm >>> Preparing gpgme-1.23.1-1.x86_64 *** Info: SOURCE 1 signature follows: gpg: Signature made 2023 Oct 27 Fri 06:41:07 MDT gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA gpg: Signature made 2023 Nov 14 Tue 17:50:43 MST gpg: using EDDSA key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD gpg: Good signature from "Niibe Yutaka (GnuPG Release Key)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
--- /usr/share/cygport/lib/pkg_pkg.cygpart.orig 2023-03-08 06:07:57.000000000 -0700 +++ /usr/share/cygport/lib/pkg_pkg.cygpart 2023-11-19 21:13:16.879391200 -0700 @@ -505,7 +505,7 @@ __gpg_sign() { echo "${2} signature needs to be updated"; rm -f ${1}.sig; # we 'check_prog gpg' in __pkg_srcpkg() - gpg --detach-sign ${1}; + $GPG --detach-sign ${1}; } __squeeze_whitespace() { @@ -563,7 +563,9 @@ __pkg_srcpkg() { if __arg_bool SIG then - if check_prog gpg + if check_prog gpg2; then GPG=gpg2; else GPG=gpg; fi + + if check_prog $GPG then __gpg_sign ${spkgdir}/${cygportfile} "CYGPORT SCRIPT"; @@ -583,14 +585,15 @@ __pkg_srcpkg() { __gpg_sign ${spkgdir}/${src_patchfile} "SOURCE PATCH"; fi else - inform "gnupg must be installed in order to make signatures."; + inform "gnupg2 or gnupg must be installed in order to make signatures."; fi fi cd ${spkgdir%/*}; mkdir -p ${distdir}/${PN}; - __tar ${distdir}/${PN}/${PF}-src.tar.${TAR_COMPRESSION_EXT} ${spkgdir##*/}/ || error "Source package creation failed" + __tar ${distdir}/${PN}/${PF}-src.tar.${TAR_COMPRESSION_EXT} ${spkgdir##*/}/ \ + || error "Source package creation failed" echo; # source package hint
--- /usr/share/cygport/lib/src_prep.cygpart.orig 2023-11-19 18:51:13.284177300 -0700 +++ /usr/share/cygport/lib/src_prep.cygpart 2023-11-19 21:00:35.754036900 -0700 @@ -181,12 +181,14 @@ __gpg_verify() { local _filetype=${2}; local _sigext=${3:-sig}; - if ! check_prog gpg && ! check_prog gpg2 + if check_prog gpg2; then GPG=gpg2; else GPG=gpg; fi + + if ! check_prog $GPG then # display notice only once if ! defined _gpg_not_found_ then - inform "gnupg or gnupg2 must be installed in order to check signatures."; + inform "gnupg2 or gnupg must be installed in order to check signatures."; _gpg_not_found_=1 fi @@ -195,7 +197,6 @@ __gpg_verify() { if [ -f ${_file}.${_sigext} ] then - [ check_prog gpg2 ] && GPG=gpg2 || GPG=gpg inform "${_filetype} signature follows:"; $GPG --verify ${_file}.${_sigext} ${_file} || true; fi