Bug#980909: marked as done (dpkg-dev: dpkg-buildpackage : gpg command uses expired key)

Thu, 08 Apr 2021 10:42:47 -0700 

Your message dated Thu, 8 Apr 2021 19:40:14 +0200
with message-id <YG8//v+edlsqq...@thunder.hadrons.org>
and subject line Re: Bug#980909: dpkg-dev: dpkg-buildpackage : gpg command uses 
expired key
has caused the Debian Bug report #980909,
regarding dpkg-dev: dpkg-buildpackage : gpg command uses expired key
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
980909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980909
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: dpkg-dev
Version: 1.20.7.1
Severity: minor

Dear all,

I just stumbled in this annoying situation. I do not know
if this may be classified as a bug in dpkg-buildpackage or in gpg.

If I call dpkg-buildpackage to build my package , at a certain point
it calls (as seen in a strace output)

execve("/usr/bin/gpg", ["gpg", "--utf8-strings", "--textmode", "--armor", 
"--local-user", "A Mennucc1 <mennu...@debian.org>", "--clearsign", "--output", 
"dpkg-sign.jze_WfLt/debdelta_0.67.dsc.asc", 
"dpkg-sign.jze_WfLt/debdelta_0.67.dsc"], 0x5593f918e990 /* 95 vars */) = 0

Now, I have two keys with that username, an older DSA key, disabled,
and a newer RSA key, that is
$ gpg --list-sec "A Mennucc1 <mennu...@debian.org>"
sec   dsa1024/0xF41FED8E33FC40A4 2000-03-14 [SCA]
sec   rsa4096/0x57CCF4596A1353C2 2014-09-28 [SC]

For some weird reason, gpg selects the first one.

Let me stress that in ~/.gnupg/gpg.conf I have:
 default-key 0x57CCF4596A1353C2!
so that I am usually signing everything with the correct key.

But here comes the funny part: if I use `debuild -S`, it instead
uses the correct key (!)
According to `strace`, it does
"/usr/bin/gpg", ["gpg", "--local-user", "0x57CCF4596A1353C2", "--clearsign", 
"--list-options", "no-show-policy-
urls", "--armor", "--textmode", "--output", 
"/tmp/debsign.XyM6Vi4v/debdelta_0.67.dsc.asc", "/tmp/debsign.XyM6Vi4v/debdelta_0
.67.dsc"

How could we fix this? 

I uploaded some packages this week, and some times they were rejected
(silently), and I lost a lot of time in understanding what was wrong.

a.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers bionic-updates
  APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 
'bionic-proposed'), (500, 'bionic'), (100, 'bionic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-64-generic (SMP w/8 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dpkg-dev depends on:
ii  binutils      2.30-21ubuntu1~18.04.4
ii  bzip2         1.0.6-8.1ubuntu0.2
ii  libdpkg-perl  1.20.7.1
ii  make          4.1-9.1ubuntu1
ii  patch         2.7.6-2ubuntu1.1
ii  perl          5.26.1-6ubuntu0.5
ii  tar           1.29b-2ubuntu0.2
ii  xz-utils      5.2.2-1.3

Versions of packages dpkg-dev recommends:
ii  build-essential          12.4ubuntu1
ii  fakeroot                 1.22-2ubuntu1
ii  gcc [c-compiler]         4:7.4.0-1ubuntu2.3
ii  gcc-10 [c-compiler]      10.1.0-2ubuntu1~18.04
ii  gcc-6 [c-compiler]       6.5.0-2ubuntu1~18.04
ii  gcc-7 [c-compiler]       7.5.0-3ubuntu1~18.04
ii  gnupg                    2.2.4-1ubuntu1.3
ii  gpgv                     2.2.4-1ubuntu1.3
pn  libalgorithm-merge-perl  <none>

Versions of packages dpkg-dev suggests:
pn  debian-keyring  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Hi!

On Mon, 2021-01-25 at 01:56:02 +0100, Guillem Jover wrote:
> On Sun, 2021-01-24 at 10:39:20 +0100, A Mennucc wrote:
> > Package: dpkg-dev
> > Version: 1.20.7.1
> > Severity: minor
> 
> > I just stumbled in this annoying situation. I do not know
> > if this may be classified as a bug in dpkg-buildpackage or in gpg.
> > 
> > If I call dpkg-buildpackage to build my package , at a certain point
> > it calls (as seen in a strace output)
> > 
> > execve("/usr/bin/gpg", ["gpg", "--utf8-strings", "--textmode", "--armor", 
> > "--local-user", "A Mennucc1 <mennu...@debian.org>", "--clearsign", 
> > "--output", "dpkg-sign.jze_WfLt/debdelta_0.67.dsc.asc", 
> > "dpkg-sign.jze_WfLt/debdelta_0.67.dsc"], 0x5593f918e990 /* 95 vars */) = 0
> > 
> > Now, I have two keys with that username, an older DSA key, disabled,
> > and a newer RSA key, that is
> > $ gpg --list-sec "A Mennucc1 <mennu...@debian.org>"
> > sec   dsa1024/0xF41FED8E33FC40A4 2000-03-14 [SCA]
> > sec   rsa4096/0x57CCF4596A1353C2 2014-09-28 [SC]
> > 
> > For some weird reason, gpg selects the first one.
> 
> Yeah, I guess it chooses either the first or the last found matching.
> 
> > Let me stress that in ~/.gnupg/gpg.conf I have:
> >  default-key 0x57CCF4596A1353C2!
> > so that I am usually signing everything with the correct key.
> 
> Right, but the --local-user override --default-key.
> 
> > But here comes the funny part: if I use `debuild -S`, it instead
> > uses the correct key (!)
> > According to `strace`, it does
> > "/usr/bin/gpg", ["gpg", "--local-user", "0x57CCF4596A1353C2", 
> > "--clearsign", "--list-options", "no-show-policy-
> > urls", "--armor", "--textmode", "--output", 
> > "/tmp/debsign.XyM6Vi4v/debdelta_0.67.dsc.asc", 
> > "/tmp/debsign.XyM6Vi4v/debdelta_0
> > .67.dsc"
> 
> I'm assuming you have this configured in ~/.devscripts with
> DEBSIGN_KEYID. You should be able to get similar results for
> dpkg-buildpackage by either setting the DEB_SIGN_KEYID environment
> variable or the sign-key option in ~/.config/dpkg/buildpackage.conf
> to the key fingerprint. (I personally use the former as I can change
> it dynamically depending on the context from bash PROMP_COMMAND. :)
> 
> > How could we fix this? 
> 
> I'm not sure whether there's a way to tell gpg to prefer one of the
> secret keys when presented with just «Name <email>». But otherwise see
> above. So I'm inclined to close this, otherwise you could request a
> way to mark as secret key as preferred in the GnuPG secret keyring?

I'm closing this now then. If anyone feels that "this" (whatever part)
needs fixing elsewhere, please feel free to reopen and reassign, or
file a new one, etc.

Thanks,
Guillem

--- End Message ---

Reply via email to