Xiyue Deng <manp...@gmail.com> writes: > Package: lintian > Version: 2.116.3 > Severity: wishlist > X-Debbugs-Cc: none, Xiyue Deng <manp...@gmail.com> > > We encountered a case that persist[1] from elpa has more than signing > keys and one of the public keys is missing. As the output of `gbp > import-orig --uscan' shows[2], the EDDSA public key could not be found. > Instead, the RSA was available in the repo[3] and passed the signature > check. So instead I used the `uscan --skip-signature' to get the > upstream tarball and prepared the packaging. Paul Wise asked me to > check whether lintian would still warning about the missing key in the > built package, and it didn't. > > This might be considered a rather rare case with multiple signing keys, > and Paul suggested to file a bug against lintian nonetheless to keep a > record on this case. > > [1] https://elpa.gnu.org/packages/persist.html > > [2] Command output: > ,---- > | $ gbp import-orig --uscan > | gbp:info: Launching uscan... > | Newest version of persist-el on remote site is 0.6, local version is 0.5 > | (mangled local version is 0.5) > | => Newer package available from: > | => https://elpa.gnu.org/packages/persist-0.6.tar > | gpgv: Signature made Sat 13 Jan 2024 02:05:03 AM PST > | gpgv: using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40 > | gpgv: Good signature from "GNU ELPA Signing Agent (2019) > <elpas...@elpa.gnu.org>" > | gpgv: Signature made Sat 13 Jan 2024 02:05:03 AM PST > | gpgv: using EDDSA key > 0327BE68D64D9A1A66859F15645357D2883A0966 > | gpgv: Can't check signature: No public key > | uscan die: OpenPGP signature did not verify. at > /usr/share/perl5/Devscripts/Uscan/Output.pm line 77. > | gbp:error: Uscan failed: OpenPGP signature did not verify. > `---- > > [3] > https://salsa.debian.org/emacsen-team/persist-el/-/blob/master/debian/upstream/signing-key.asc?ref_type=heads > > [..snip..]
CCing Paul which I forgot to do so in the first email. Also Paul suggested a new lintian tag for this use case: "upstream-signature-uses-key-missing-from-upstream-signing-keys". -- Xiyue Deng