Hi! On Tue, 2020-06-30 at 14:15:13 +0100, Ian Jackson wrote: > Package: src:dpkg > Version: 1.20.2 > User: debian...@lists.debian.org > Usertags: breaks > Affects: dgit
> > autopkgtest regression > > in dgit (9.11) on amd64 > > due to dpkg (1.19.7 to 1.20.2) > > test info > > REGRESSION > > > > https://ci.debian.net/data/autopkgtest/testing/amd64/d/dgit/6073505/log.gz > > https://ci.debian.net/packages/d/dgit/testing/amd64 > > null > > https://ci.debian.net/api/v1/retry/6073505 Right, had seen that but given that it was against 1.20.2, and 1.20.3 had already been uploaded with fixes for the upstream verification regression, I assumed this had been fixed, but didn't close just to make sure. It seems this is still a problem though. > The relevant part of the log says: > > + dgit --dgit=dgit --dget:-u > --dput:--config=/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/dput.cf > --config-lookup-explode=dgit-distro.debian.alias-canon -dtest-dummy -D > -kBCD22CD83243B79D3DFAC33EA3DBCBC039B13D8A import-dsc > ../mirror/pool/main/example_1.2.dsc t.1.2 > | git rev-parse --show-toplevel > => `/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/example' > | git config -z --get-regexp --local '.*' > | git config -z --get-regexp --local '.*' > | git config -z --get-regexp --global '.*' > | git config -z --get-regexp --system '.*' > | git check-ref-format --normalize refs/heads/t.1.2 > => `refs/heads/t.1.2' > | git symbolic-ref -q HEAD > => `refs/heads/master' > | git for-each-ref '--format=%(objectname)' '[r]efs/heads/t.1.2' > => `' > gpgv: unknown type of key resource 'trustedkeys.kbx' > gpgv: keyblock resource > '/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/gnupg/trustedkeys.kbx': > General error > gpgv: Signature made Sun Jun 28 07:40:07 2020 UTC > gpgv: using RSA key BCD22CD83243B79D3DFAC33EA3DBCBC039B13D8A > gpgv: Can't check signature: No public key > dgit: error: failed to verify signature on > ../mirror/pool/main/example_1.2.dsc > + rc=255 > + set +x > > %%%%%%%%%%%%%%%%%%%% EXITING 255 %%%%%%%%%%%%%%%%%%%% > > Most relevant logs are just before assignment rc=255 > Will now do cleanup etc. > > The string "failed to verify signature" is not generated by code in > dgit. Looking at the code in dgit, I think the error happens here: > > my $dp = new Dpkg::Source::Package filename => $dscfn, > require_valid_signature => $needsig; > { > local $SIG{__WARN__} = sub { > print STDERR $_[0]; > return unless $needsig; > fail __ "import-dsc signature check failed"; > }; > if (!$dp->is_signed()) { > warn f_ "%s: warning: importing unsigned .dsc\n", $us; > } else { > my $r = $dp->check_signature(); > confess "->check_signature => $r" if $needsig && $r; > } > } > > I think this rather complex code is trying to deal with API > compatibility issues surrounding require_valid_signature etc. Anyway, > I think the message is generated by the call to > Dpkg::Source::Package::new. I think that function inserted $0 into > the error message. > > I don't know why it is verifying the signature. I think in this > particular test $needsig is 0. I searched the code for the variable > and the only place dgit sets it trueish is if dgit import-dsc is > told --require-valid-signature. This error message comes from Dpkg::OpenPGP::verify_signature() called by Dpkg::Source::Package->check_signature(), so if you do not want to verify the signature I guess you'd need to conditionalize that call also with $needsig. > So I don't know what a "trustedkeys.kbx" file is or why I need one > now. (dgit's test suite naturally has a set of test keys, so it has > its own idea of the public keys to use for signature verifications. > But this test case should not involve any of that.) Hmm, I guess I should be passing --homedir to gpg also within the verify_signature(), like I did for the import_key() call. But I'm assuming you are setting GNUPGHOME in the test suite as well, which is what would make gpg look for the trustedkeys db in there. Thanks, Guillem
