Adding the --require-valid-signature to the dpkg-source command called from apt-get source will change the default behaviour. As this is quite an invasive change, breaking apt-get source when no key is installed, maybe it is better to be able to configure the options of dpkg-source? Also the attached patch is incomplete, as apt-get now recommends to check if dpkg-dev is installed instead of testing the error message. A developers input on how to proceed here would be good to have.
$ apt-get source hello Reading package lists... Done Building dependency tree Reading state information... Done Skipping already downloaded file 'hello_2.7-2.dsc' Skipping already downloaded file 'hello_2.7.orig.tar.gz' Skipping already downloaded file 'hello_2.7-2.debian.tar.gz' Need to get 0 B of source archives. gpgv: Signature made Thu 04 Aug 2011 01:11:39 PM CEST using RSA key ID 9F1B8B32 gpgv: Can't check signature: public key not found dpkg-source: error: failed to verify signature on ./hello_2.7-2.dsc Unpack command 'dpkg-source -x --require-valid-signature hello_2.7-2.dsc' failed. Check if the 'dpkg-dev' package is installed. E: Child process failed ** Patch added: "apt_dpkgsource-gpgcheck.patch" https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+attachment/2820798/+files/apt_dpkgsource-gpgcheck.patch ** Changed in: apt (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/939322 Title: apt-get source ignores missing key To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
