Bug#980909: dpkg-dev: dpkg-buildpackage : gpg command uses expired key

Sun, 24 Jan 2021 17:00:15 -0800 

Hi!

On Sun, 2021-01-24 at 10:39:20 +0100, A Mennucc wrote:
> Package: dpkg-dev
> Version: 1.20.7.1
> Severity: minor

> I just stumbled in this annoying situation. I do not know
> if this may be classified as a bug in dpkg-buildpackage or in gpg.
> 
> If I call dpkg-buildpackage to build my package , at a certain point
> it calls (as seen in a strace output)
> 
> execve("/usr/bin/gpg", ["gpg", "--utf8-strings", "--textmode", "--armor", 
> "--local-user", "A Mennucc1 <mennu...@debian.org>", "--clearsign", 
> "--output", "dpkg-sign.jze_WfLt/debdelta_0.67.dsc.asc", 
> "dpkg-sign.jze_WfLt/debdelta_0.67.dsc"], 0x5593f918e990 /* 95 vars */) = 0
> 
> Now, I have two keys with that username, an older DSA key, disabled,
> and a newer RSA key, that is
> $ gpg --list-sec "A Mennucc1 <mennu...@debian.org>"
> sec   dsa1024/0xF41FED8E33FC40A4 2000-03-14 [SCA]
> sec   rsa4096/0x57CCF4596A1353C2 2014-09-28 [SC]
> 
> For some weird reason, gpg selects the first one.

Yeah, I guess it chooses either the first or the last found matching.

> Let me stress that in ~/.gnupg/gpg.conf I have:
>  default-key 0x57CCF4596A1353C2!
> so that I am usually signing everything with the correct key.

Right, but the --local-user override --default-key.

> But here comes the funny part: if I use `debuild -S`, it instead
> uses the correct key (!)
> According to `strace`, it does
> "/usr/bin/gpg", ["gpg", "--local-user", "0x57CCF4596A1353C2", "--clearsign", 
> "--list-options", "no-show-policy-
> urls", "--armor", "--textmode", "--output", 
> "/tmp/debsign.XyM6Vi4v/debdelta_0.67.dsc.asc", 
> "/tmp/debsign.XyM6Vi4v/debdelta_0
> .67.dsc"

I'm assuming you have this configured in ~/.devscripts with
DEBSIGN_KEYID. You should be able to get similar results for
dpkg-buildpackage by either setting the DEB_SIGN_KEYID environment
variable or the sign-key option in ~/.config/dpkg/buildpackage.conf
to the key fingerprint. (I personally use the former as I can change
it dynamically depending on the context from bash PROMP_COMMAND. :)

> How could we fix this? 

I'm not sure whether there's a way to tell gpg to prefer one of the
secret keys when presented with just «Name <email>». But otherwise see
above. So I'm inclined to close this, otherwise you could request a
way to mark as secret key as preferred in the GnuPG secret keyring?

Thanks,
Guillem

Reply via email to