Re: debian-archive-keyring, update for stretch, problem

[Anton Gladky]

Hi Adam,

thanks for your reply!

I have found the reason. I generated the signature using
Debian/Testing (Bookworm), but the signature should be
generated in the same environment, where it will
be used (in this case Stretch).

I regenerated signatures under stretch and everything works fine.

Best regards

Anton

Am Sa., 12. März 2022 um 22:24 Uhr schrieb Adam D. Barratt
:


>
> Hi,
>
> FWIW, I haven't touched d-a-k for a few years now, nor have I seen your
> package, so I'm largely guessing based on your provided text below.
>
> On Sat, 2022-03-12 at 21:52 +0100, Anton Gladky wrote:
> > I followed the README.maintainer. Added my key into team/members.
> > But then, when I just refresh the signature:
> >
> > make clean
> > make keyrings/debian-archive-keyring.gpg
> > gpg --armor --detach-sign keyrings/debian-archive-keyring.gpg
> >
> > The package does not build and fails with the following message:
> >
> > ===
> > gpg --no-options --no-default-keyring --no-auto-check-trustdb
> > --trustdb-name ./trustdb.gpg \
> > --keyring keyrings/team-members.gpg --verify \
> > keyrings/debian-archive-removed-keys.gpg.asc \
> > keyrings/debian-archive-removed-keys.gpg
> > gpg: Signature made Sat Mar 12 20:41:08 2022 UTC
> > gpg:using RSA key
> > BBBD45EA818AB86FF67E7285D3E17383CFA7FF06
> > gpg: BAD signature from "Anton Gladky " [unknown]
> >
> > ===
> >
> > Could you please give advice, why the lately refreshed and signed
> > debian-archive-removed-keys.gpg has a bad signature?
>
> My suspicion would be that you signed the keyring before running the
> build - although you only mention signing debian-archive-keyring.gpg -
> but had somehow not built it correctly so, after it got rebuilt by the
> makefile, your previous signature file no longer matched. (The point of
> using jetring is that the result should match.)
>
> How did you manipulate debian-archive-removed-keys.gpg? Do its contents
> align with removed-keys/index, and the signature on that?
>
> Not that it helps you directly, but I don't remember having seen such
> an error when I was building the package.
>
> Regards,
>
> Adam
>

Re: debian-archive-keyring, update for stretch, problem

[Adam D. Barratt]

Hi,

FWIW, I haven't touched d-a-k for a few years now, nor have I seen your
package, so I'm largely guessing based on your provided text below.

On Sat, 2022-03-12 at 21:52 +0100, Anton Gladky wrote:
> I followed the README.maintainer. Added my key into team/members.
> But then, when I just refresh the signature:
> 
> make clean
> make keyrings/debian-archive-keyring.gpg
> gpg --armor --detach-sign keyrings/debian-archive-keyring.gpg
> 
> The package does not build and fails with the following message:
> 
> ===
> gpg --no-options --no-default-keyring --no-auto-check-trustdb
> --trustdb-name ./trustdb.gpg \
> --keyring keyrings/team-members.gpg --verify \
> keyrings/debian-archive-removed-keys.gpg.asc \
> keyrings/debian-archive-removed-keys.gpg
> gpg: Signature made Sat Mar 12 20:41:08 2022 UTC
> gpg:using RSA key
> BBBD45EA818AB86FF67E7285D3E17383CFA7FF06
> gpg: BAD signature from "Anton Gladky " [unknown]
> 
> ===
> 
> Could you please give advice, why the lately refreshed and signed
> debian-archive-removed-keys.gpg has a bad signature?

My suspicion would be that you signed the keyring before running the
build - although you only mention signing debian-archive-keyring.gpg -
but had somehow not built it correctly so, after it got rebuilt by the
makefile, your previous signature file no longer matched. (The point of
using jetring is that the result should match.)

How did you manipulate debian-archive-removed-keys.gpg? Do its contents
align with removed-keys/index, and the signature on that?

Not that it helps you directly, but I don't remember having seen such
an error when I was building the package.

Regards,

Adam