Bug#985712: dscverify doesn't check against the non-uploading developer keyring

Mon, 22 Mar 2021 07:51:18 -0700 

Package: devscripts
Version: 2.21.1
Severity: normal
X-Debbugs-Cc: ni...@debian.org
Tags: patch

Dear Maintainer,

When using dget to get a package I uploaded, dscverify was unable to
verify my signature[1]. It is, however, in the debian-nonupload.gpg
keyring[2]. DDs non-uploading are treated like DMs for uploading
packages [3].

See the attached patch[4], which I will be submitting to salsa as soon
as I have a bug report number.

Thanks!
Taowa


[1]
taowa@tarteausucre:~/debian/yubikey-manager/unblock$ dscverify 
yubikey-manager_4.0.0~a1-3.dsc 
yubikey-manager_4.0.0~a1-3.dsc:
dscverify: yubikey-manager_4.0.0~a1-3.dsc failed signature check:
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: Signature made Sat 20 Mar 2021 04:52:15 PM EDT
gpg:                using RSA key 6EFF24397EA032A9159404AC08F9E3E20C2C79A7
gpg: Can't check signature: No public key
Validation FAILED!!

[2]
gpg --keyring /usr/share/keyrings/debian-nonupload.gpg --no-default-keyring 
--list-key --with-subkey-fingerprint taowa
pub   rsa4096 2018-07-10 [C] [expires: 2022-12-31]
      8FB9C5D6AE7BA82B7BB1D887C51EA7006E6BDC0D
...
uid           [ultimate] Taowa <ta...@debian.org>
...
sub   rsa4096 2020-04-28 [S] [expires: 2021-12-31]
      6EFF24397EA032A9159404AC08F9E3E20C2C79A7

[3] 
https://salsa.debian.org/ftp-team/dak/commit/39205cff6633040adecfdf0f7e4e5db06431a03c

[4]
diff --git a/scripts/dscverify.1 b/scripts/dscverify.1
index a0452f84..151885f8 100644
--- a/scripts/dscverify.1
+++ b/scripts/dscverify.1
@@ -73,6 +73,8 @@ locations:
 - /usr/share/keyrings/debian-keyring.gpg
 
 - /usr/share/keyrings/debian-maintainers.gpg
+
+- /ush/share/keyrings/debian-nonupload.gpg
 .SH "SEE ALSO"
 .BR gpg (1),
 .BR gpg2 (1),
diff --git a/scripts/dscverify.pl b/scripts/dscverify.pl
index 8ae2c340..8ec02946 100755
--- a/scripts/dscverify.pl
+++ b/scripts/dscverify.pl
@@ -95,7 +95,8 @@ sub xdie {
 sub get_rings {
     my @rings    = @_;
     my @keyrings = qw(/usr/share/keyrings/debian-keyring.gpg
-      /usr/share/keyrings/debian-maintainers.gpg);
+      /usr/share/keyrings/debian-maintainers.gpg
+      /usr/share/keyrings/debian-nonupload.gpg);
     $ENV{HOME} = File::HomeDir->my_home;
     if (defined $ENV{HOME} && -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") {
         unshift(@keyrings, "$ENV{HOME}/.gnupg/trustedkeys.gpg");


-- 
Taowa (they)
taowa.ca
LOC FN35EM

Reply via email to