Hi, before filing bugs and doing it wrong, I need to ask: A few hours ago, after upgrading my system, I got a new warning from lintian in my packages (I'm not on debian-maintainers.gpg keyring):
$ lintian -i -I subtitlecomposer_0.5.2-1.dsc I: subtitlecomposer source: tar-errors-from-source gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F N: N: tar produced an error while unpacking this source package. This probably N: means there's something broken or at least strange about the way the N: upstream tar file was constructed. You may want to report this as an N: upstream bug. N: N: Severity: normal, Certainty: wild-guess N: I: subtitlecomposer source: tar-errors-from-source gpgv: Can't check signature: public key not found Of course I have my public key in gpg. So,here's the first thing I did to figure out what's happening: $ gpgv subtitlecomposer_0.5.2-1.dsc gpgv: keyblock resource `/home/santa/.gnupg/trustedkeys.gpg': general error gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F gpgv: Can't check signature: public key not found Then I created the trustedkeys.gpg with my public key: $ gpg --no-default-keyring --keyring trustedkeys.gpg --recv-keys 5f99c10f gpg: keyring `/home/santa/.gnupg/trustedkeys.gpg' created gpg: requesting key 5F99C10F from hkp server wwwkeys.eu.pgp.net gpg: key 5F99C10F: public key "Jos� Manuel Santamar�a Lema <panfa...@gmail.com>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Total number processed: 1 gpg: imported: 1 Then gpgv works: $ gpgv subtitlecomposer_0.5.2-1.dsc gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F gpgv: Good signature from "Jos� Manuel Santamar�a Lema <panfa...@gmail.com> Then, lintian again: $ lintian -i -I subtitlecomposer_0.5.2-1.dsc I: subtitlecomposer source: tar-errors-from-source gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F N: N: tar produced an error while unpacking this source package. This probably N: means there's something broken or at least strange about the way the N: upstream tar file was constructed. You may want to report this as an N: upstream bug. N: N: Severity: normal, Certainty: wild-guess N: I: subtitlecomposer source: tar-errors-from-source gpgv: Can't check signature: public key not found So, to figure out what was hapenning, I checked what dpkg-source -x does: $ dpkg-source -x subtitlecomposer_0.5.2-1.dsc gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./subtitlecomposer_0.5.2-1.dsc dpkg-source: info: extracting subtitlecomposer in subtitlecomposer-0.5.2 dpkg-source: info: unpacking subtitlecomposer_0.5.2.orig.tar.gz dpkg-source: info: applying subtitlecomposer_0.5.2-1.diff.gz Then, I checked dscverify: $ dscverify subtitlecomposer_0.5.2-1.dsc subtitlecomposer_0.5.2-1.dsc: dscverify: subtitlecomposer_0.5.2-1.dsc failed signature check: gpg: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F gpg: Can't check signature: public key not found Validation FAILED!! After reding the dscverify and devscripts.conf manpages I addes this line to /etc/devscripts.conf: DSCVERIFY_KEYRINGS="trustedkeys.gpg" Executing dscverify again, it works: $ dscverify subtitlecomposer_0.5.2-1.dsc subtitlecomposer_0.5.2-1.dsc: Good signature found validating subtitlecomposer_0.5.2.orig.tar.gz validating subtitlecomposer_0.5.2-1.diff.gz All files validated successfully. But both lintian and dpkg-source doesn't. (Same output as above) Quoting dpkg- source man page: >--require-valid-signature >Refuse to unpack the source package if it doesn’t contain an OpenPGP >signature that can be verified either with the user’s trusted‐keys.gpg >keyring, one of the vendor-specific keyrings, or one of the official Debian >keyrings (/usr/share/keyrings/debian-keyring.gpg and >/usr/share/keyrings/debian-maintainers.gpg). The name for the ring is trustedkeys.gpg instead of trusted-keys.gpg, I guess it's a typo, however, even creating trusted-keys.gpg keyring both dpkg-source -x and lintian does not work properly. Of course adding --require-valid-signature result in dpkg-source refusing to unpack the source package. But I'm on trustedkeys.gpg. Finally, I've checked the current bug reports for lintian, dpkg, debian-devel ml and this one. I've checked for the pgp, gpg, sign ... words, but I found nothing. It's a bug? Am I missing something?