Bug#1084734: marked as done (squid: Pristine tarball is signed with a different key not in d/upstream/signing-key.asc)

Sat, 15 Feb 2025 21:03:16 -0800 

Your message dated Sun, 16 Feb 2025 17:58:25 +1300
with message-id <[email protected]>
and subject line squid: Pristine tarball is signed with a different key not in 
d/upstream/signing-key.asc
has caused the Debian Bug report #1084734,
regarding squid: Pristine tarball is signed with a different key not in 
d/upstream/signing-key.asc
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1084734: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084734
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: squid
Version: 6.10-1ubuntu1
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]

Dear Maintainer,

The squid upstream project hosts its keyring at squid-cache.org/pgp.asc.
The latest tarballs for squid 6.10 are no longer being signed by the
(only) key in the keyring in d/u/signing-key.asc. Let's update that
keyring to include the following key:

28F8 5029 FEF6 E865
"Francesco Chemolli (code signing key) <[email protected]>"

This key is available at the upstream keyring and is signed by the
previous key included in this keyring.

Note that, although a uscan --download-current does fetch the correct
source tarball from the upstream project and reports a good signature
from the key above, checking the current tarball in the archive (e.g.,
with gpgv) will report a bad signature from that key. This happens
because the upstream tarball was re-packed and the checksums changed.
Also note that the only differences between the "good" and the "bad"
signed tarballs are file ownership which changed due to repacking it.

A patch to update the keyring file is available at
https://salsa.debian.org/squid-team/squid/-/merge_requests/26. Since I
Could not find an announcement pointing to the current key being used, I
kept the signature from the former key when expanding the keyring.

Thanks for considering the patch.

--- End Message ---
--- Begin Message --- 
thanks

--- End Message ---

Reply via email to