Hi!
On Wed, 2025-03-19 at 18:43:01 +0100, Ludovic Rousseau wrote:
> Package: dupload
> Version: 2.13.2
> Severity: important
> dupload now fails for me with the error:
>
> $ LANG=C dupload *_source.changes --no
> dupload note: no announcement will be sent.
> Checking OpenPGP signatures on ccid_1.6.2-1_source.changes...
> Using keyring: /usr/share/keyrings/debian-keyring.gpg
> Using keyring: /usr/share/keyrings/debian-nonupload.gpg
> Using keyring: /usr/share/keyrings/debian-maintainers.gpg
> gpgv: Signature made Wed Mar 19 17:58:20 2025 CET
> gpgv: using RSA key F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E
> gpgv: issuer "rouss...@debian.org"
> gpgv: Note: signatures using the SHA1 algorithm are rejected
> gpgv: Can't check signature: No public key
> openpgp-check: error: cannot verify OpenPGP signature for
> ccid_1.6.2-1_source.changes: no acceptable signature found
>
> dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed for
> ccid_1.6.2-1_source.changes
> My key F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E is present in the debian
> keyring file:
> $ LANG=C gpg --show-keys /usr/share/keyrings/debian-keyring.gpg | grep -B1
> rousseau
> gpg: 100 keys processed so far
> gpg: 200 keys processed so far
> gpg: 300 keys processed so far
> gpg: 400 keys processed so far
> F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E
> uid Ludovic Rousseau <ludovic.rouss...@free.fr>
> uid Ludovic Rousseau <rouss...@debian.org>
> gpg: 500 keys processed so far
> gpg: 600 keys processed so far
> gpg: 700 keys processed so far
> gpg: 800 keys processed so far
> gpg: 900 keys processed so far
> I signed the package using:
> $ debsign *_source.changes
>
> This bug looks similar to #1099178 but in my case I see that the Debian
> keyring is (should be) used.
>
> I don't know what I am doing wrong.
The problem is that the old openpgp-check hook implementation was
ignoring some verification failures, and silencing stdout/stderr from
the OpenPGP command being used. I assume that with an older dupload you
should have seen the following message instead:
" OpenPGP signature in $FILE cannot be checked, maybe due to missing keys"
(or something similar).
The problem is that your key does not appear valid to GnuPG or other
OpenPGP implementations. Running the Sequoia certificate linter (from
the «sq» package) gives this:
,---
$ sq cert lint --cert F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E
Certificate 78A1B4DFE8F9C57E is not valid under the standard policy: No
binding signature at time 2025-03-19T23:36:51Z
Certificate 78A1B4DFE8F9C57E contains a User ID (Ludovic Rousseau
<ludovic.rouss...@free.fr>) protected by SHA-1
Certificate 78A1B4DFE8F9C57E contains a User ID (Ludovic Rousseau
<rouss...@debian.org>) protected by SHA-1
Certificate 78A1B4DFE8F9C57E, key 36A241532F1BEFF0 uses a SHA-1-protected
binding signature.
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than
the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live
subkey:
1 has at least one non-revoked, live subkey with a binding signature that
uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live,
signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey
with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
Error: 1 certificate have at least one issue
`---
You should be able to fix your key by following the instructions in
<https://book.sequoia-pgp.org/lint.html>. The same could be done with
GnuPG, but it's way way more tedious (see
<https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/T/#u>
in case you prefer that).
I guess after that, you'll need to update your key in the Debian
keyring, by sending it to keyring.debian.org. And temporarily you
might need to export your certificate into a local .pgp keyring and
tell dupload to use that as a keyring for the desired target host.
Take into account, that this problem is also affecting verification of
any source package you have been signing. So for example, doing:
$ apt source --download-only ccid
$ dpkg-source --require-valid-signature -x ccid_*.dsc
Will fail, or similarly with:
$ dscverify ccid_*.dsc
Although this looks like a problem with the key and not with dupload,
I'll leave this open, and then add a hint to its output to try to help
others in a similar situation as yours.
Thanks,
Guillem
