Hi, before filing bugs and doing it wrong, I need to ask:
A few hours ago, after upgrading my system, I got a new warning from lintian
in my packages (I'm not on debian-maintainers.gpg keyring):
$ lintian -i -I subtitlecomposer_0.5.2-1.dsc
I: subtitlecomposer source: tar-errors-from-source gpgv: Signature made Tue
May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
N:
N: tar produced an error while unpacking this source package. This probably
N: means there's something broken or at least strange about the way the
N: upstream tar file was constructed. You may want to report this as an
N: upstream bug.
N:
N: Severity: normal, Certainty: wild-guess
N:
I: subtitlecomposer source: tar-errors-from-source gpgv: Can't check
signature: public key not found
Of course I have my public key in gpg. So,here's the first thing I did to
figure
out what's happening:
$ gpgv subtitlecomposer_0.5.2-1.dsc
gpgv: keyblock resource `/home/santa/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Can't check signature: public key not found
Then I created the trustedkeys.gpg with my public key:
$ gpg --no-default-keyring --keyring trustedkeys.gpg --recv-keys 5f99c10f
gpg: keyring `/home/santa/.gnupg/trustedkeys.gpg' created
gpg: requesting key 5F99C10F from hkp server wwwkeys.eu.pgp.net
gpg: key 5F99C10F: public key "Jos� Manuel Santamar�a Lema
<panfa...@gmail.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
Then gpgv works:
$ gpgv subtitlecomposer_0.5.2-1.dsc
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Good signature from "Jos� Manuel Santamar�a Lema <panfa...@gmail.com>
Then, lintian again:
$ lintian -i -I subtitlecomposer_0.5.2-1.dsc
I: subtitlecomposer source: tar-errors-from-source gpgv: Signature made Tue
May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
N:
N: tar produced an error while unpacking this source package. This probably
N: means there's something broken or at least strange about the way the
N: upstream tar file was constructed. You may want to report this as an
N: upstream bug.
N:
N: Severity: normal, Certainty: wild-guess
N:
I: subtitlecomposer source: tar-errors-from-source gpgv: Can't check
signature: public key not found
So, to figure out what was hapenning, I checked what dpkg-source -x does:
$ dpkg-source -x subtitlecomposer_0.5.2-1.dsc
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on
./subtitlecomposer_0.5.2-1.dsc
dpkg-source: info: extracting subtitlecomposer in subtitlecomposer-0.5.2
dpkg-source: info: unpacking subtitlecomposer_0.5.2.orig.tar.gz
dpkg-source: info: applying subtitlecomposer_0.5.2-1.diff.gz
Then, I checked dscverify:
$ dscverify subtitlecomposer_0.5.2-1.dsc
subtitlecomposer_0.5.2-1.dsc:
dscverify: subtitlecomposer_0.5.2-1.dsc failed signature check:
gpg: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpg: Can't check signature: public key not found
Validation FAILED!!
After reding the dscverify and devscripts.conf manpages I addes this line to
/etc/devscripts.conf:
DSCVERIFY_KEYRINGS="trustedkeys.gpg"
Executing dscverify again, it works:
$ dscverify subtitlecomposer_0.5.2-1.dsc
subtitlecomposer_0.5.2-1.dsc:
Good signature found
validating subtitlecomposer_0.5.2.orig.tar.gz
validating subtitlecomposer_0.5.2-1.diff.gz
All files validated successfully.
But both lintian and dpkg-source doesn't. (Same output as above) Quoting dpkg-
source man page:
>--require-valid-signature
>Refuse to unpack the source package if it doesn’t contain an OpenPGP
>signature that can be verified either with the user’s trusted‐keys.gpg
>keyring, one of the vendor-specific keyrings, or one of the official Debian
>keyrings (/usr/share/keyrings/debian-keyring.gpg and
>/usr/share/keyrings/debian-maintainers.gpg).
The name for the ring is trustedkeys.gpg instead of trusted-keys.gpg, I guess
it's a typo, however, even creating trusted-keys.gpg keyring both dpkg-source
-x and lintian does not work properly.
Of course adding --require-valid-signature result in dpkg-source refusing to
unpack the source package. But I'm on trustedkeys.gpg.
Finally, I've checked the current bug reports for lintian, dpkg, debian-devel
ml and this one. I've checked for the pgp, gpg, sign ... words, but I found
nothing.
It's a bug?
Am I missing something?
