Bug#980909: dpkg-dev: dpkg-buildpackage : gpg command uses expired key

[A Mennucc]

Package: dpkg-dev
Version: 1.20.7.1
Severity: minor

Dear all,

I just stumbled in this annoying situation. I do not know
if this may be classified as a bug in dpkg-buildpackage or in gpg.

If I call dpkg-buildpackage to build my package , at a certain point
it calls (as seen in a strace output)

execve("/usr/bin/gpg", ["gpg", "--utf8-strings", "--textmode", "--armor", 
"--local-user", "A Mennucc1 <mennu...@debian.org>", "--clearsign", "--output", 
"dpkg-sign.jze_WfLt/debdelta_0.67.dsc.asc", 
"dpkg-sign.jze_WfLt/debdelta_0.67.dsc"], 0x5593f918e990 /* 95 vars */) = 0

Now, I have two keys with that username, an older DSA key, disabled,
and a newer RSA key, that is
$ gpg --list-sec "A Mennucc1 <mennu...@debian.org>"
sec   dsa1024/0xF41FED8E33FC40A4 2000-03-14 [SCA]
sec   rsa4096/0x57CCF4596A1353C2 2014-09-28 [SC]

For some weird reason, gpg selects the first one.

Let me stress that in ~/.gnupg/gpg.conf I have:
 default-key 0x57CCF4596A1353C2!
so that I am usually signing everything with the correct key.

But here comes the funny part: if I use `debuild -S`, it instead
uses the correct key (!)
According to `strace`, it does
"/usr/bin/gpg", ["gpg", "--local-user", "0x57CCF4596A1353C2", "--clearsign", 
"--list-options", "no-show-policy-
urls", "--armor", "--textmode", "--output", 
"/tmp/debsign.XyM6Vi4v/debdelta_0.67.dsc.asc", "/tmp/debsign.XyM6Vi4v/debdelta_0
.67.dsc"

How could we fix this? 

I uploaded some packages this week, and some times they were rejected
(silently), and I lost a lot of time in understanding what was wrong.

a.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers bionic-updates
  APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 
'bionic-proposed'), (500, 'bionic'), (100, 'bionic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-64-generic (SMP w/8 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), 
LANGUAGE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dpkg-dev depends on:
ii  binutils      2.30-21ubuntu1~18.04.4
ii  bzip2         1.0.6-8.1ubuntu0.2
ii  libdpkg-perl  1.20.7.1
ii  make          4.1-9.1ubuntu1
ii  patch         2.7.6-2ubuntu1.1
ii  perl          5.26.1-6ubuntu0.5
ii  tar           1.29b-2ubuntu0.2
ii  xz-utils      5.2.2-1.3

Versions of packages dpkg-dev recommends:
ii  build-essential          12.4ubuntu1
ii  fakeroot                 1.22-2ubuntu1
ii  gcc [c-compiler]         4:7.4.0-1ubuntu2.3
ii  gcc-10 [c-compiler]      10.1.0-2ubuntu1~18.04
ii  gcc-6 [c-compiler]       6.5.0-2ubuntu1~18.04
ii  gcc-7 [c-compiler]       7.5.0-3ubuntu1~18.04
ii  gnupg                    2.2.4-1ubuntu1.3
ii  gpgv                     2.2.4-1ubuntu1.3
pn  libalgorithm-merge-perl  <none>

Versions of packages dpkg-dev suggests:
pn  debian-keyring  <none>

-- no debconf information