Package: gosop Version: 1.1.0-3+b3 Severity: normal Dear Maintainer,
I maintain the minicoredumper package and I noticed that uscan failed to verify the upstream tarballs. It turns out it only fails if I am using gosop as my configured alternative for sopv. With gpgv I am not seeing any problem. Here is a simple reproducer, using the offial Debian files and gosop/gpgv directly. First, grab the source, signature, and the signing public key: $ wget http://deb.debian.org/debian/pool/main/m/minicoredumper/minicoredumper_2.0.7.orig.tar.xz $ wget http://deb.debian.org/debian/pool/main/m/minicoredumper/minicoredumper_2.0.7.orig.tar.xz.asc $ wget 'https://salsa.debian.org/jogness-guest/minicoredumper/-/raw/debian/2.0.7-4/debian/upstream/signing-key.asc?ref_type=tags&inline=false' -O signing-key.asc FAIL CASE: Calling gosop the way uscan does it: $ gosop verify minicoredumper_2.0.7.orig.tar.xz.asc signing-key.asc < minicoredumper_2.0.7.orig.tar.xz Code 3: No acceptable signatures found ("gosop verify") SUCCESS CASE: Calling gpgv the way uscan does it: $ gpg --homedir /dev/null --dearmor < signing-key.asc > keyring.gpg $ gpgv --homedir /dev/null --keyring $(realpath keyring.gpg) minicoredumper_2.0.7.orig.tar.xz.asc minicoredumper_2.0.7.orig.tar.xz gpgv: Signature made Tue Jan 9 14:42:29 2024 UTC gpgv: using EDDSA key 4CE14D2AAAC6C2E31BF36920F51469ECE1E71FFB gpgv: issuer "[email protected]" gpgv: Good signature from "John Ogness (Linutronix GmbH) <[email protected]>" I am able to use gosop to verify other packages with other signing keys. So it seems gosop just does not like my signing key. -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.86+deb13-amd64 (SMP w/256 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect (minimal schroot) Versions of packages gosop depends on: ii libc6 2.42-16 Versions of packages gosop recommends: ii sopv-doc 1.1.1-1 gosop suggests no packages. -- no debconf information
