Hi!
On Wed, 2025-07-30 at 20:51:04 -0500, Aaron Rainbolt wrote:
> Package: dpkg-dev
> Version: 1.22.21
> Severity: important
> X-Debbugs-Cc: [email protected]
> dpkg-source's manpage states that when verifying the OpenPGP signature on a
> source package that is being unpacked, the "user's trustedkeys.gpg keyring"
> will be used in addition to vendor-specific and official Debian keyrings.
> Under Bookworm, this means that a source package signed by an
> ultimately-trusted key in ~/.gnupg/trustedkeys.gpg will be accepted by
> dpkg-source. To demonstrate, on a Bookworm machine:
Right.
> On Bookworm, this will work as expected and extract the source package.
> However, if the above steps are executed on a Trixie machine instead, it will
> bail out with error message "dpkg-source: error: cannot verify inline
> signature for ../myapp_1.0.dsc: no acceptable signature found`. I tried using
> both the Trixie default of ECC keys and the prior Bookworm default of RSA keys
> on Trixie, and both of them fail in identical ways.
Yes, on Debian trixie, with the OpenPGP multi-backend support, the
rest of the new backends do not use the trustedkeys keyring, because
that's GnuPG specific, and can even be in format that is non-standards
compliant, so it cannot even be read.
(See #1106148 for further details).
I guess the problem is that, due to the above mentioned bug report, when
dpkg-source grew sqv support, then it stopped at the same time loading
trustedkeys.{kbx,gpg} keyrings, and that is going to be the default
now that apt pulls it by default on most architectures.
> If dpkg-source intentionally no longer supports trusting user-provided keys
> when extracting source packages, this should be documented. It would be much
> preferable to fix dpkg-source so that user-provided keys work again though.
Any such changes seemed too disruptive during the freeze, including
documentation fixes which invalidate translations. :/
For the 1.23.x series (targeted at Debian forky), I've already got
queued changes to add support for a --signer-certs option to
dpkg-source (to specify user supplied keyrings in OpenPGP format),
a new --no-vendor-certs option to disable loading the vendor keyrings,
and to then warn and deprecate usage of KeyBox formatted keyrings and
usage of trustedkeys.{kbx,gpg} keyrings.
Thanks,
Guillem
