Hi Andreas-- On Fri 2023-02-10 15:38:21 +0100, Andreas Metzler wrote: > I thought this should work, but it does not: > sqop verify gnutls28_3.7.8.orig.tar.xz.asc > gnutls-3.7.8/debian/upstream/signing-key.asc < gnutls28_3.7.8.orig.tar.xz.asc > No acceptable signatures found > > One of the signing keys (462225C3B46F34879FC8496CD605848ED7E69871) is in > gnutls-3.7.8/debian/upstream/signing-key.asc:
I tested this against GnuTLS 3.8.6 with sqop 0.35.0, and i got the same result that you did. Investigating it further, i found: - the certificate in gnutls-3.8.6/debian/upstream/signing-key.asc that signed the 3.8.6 orig tarball was expired. - many of the certificates in gnutls-3.8.6/debian/upstream/signing-key.asc used SHA-1 in their internal certifications. SHA-1 should have been phased out years ago, and we should discourage OpenPGP certificates that rely on that algorithm. It turns out that the relevant certificates have all been fixed upstream, but they were not included in the debian packaging. I refreshed the debian packaging to use up-to-date certificates, and pushed that change here: https://salsa.debian.org/gnutls-team/gnutls/-/merge_requests/4 I hope this is useful, --dkg