On Sun Oct 29, 2023 at 1:31 AM CEST, Nicholas D Steeves wrote: > Package: devscripts > Version: 2.23.6 > Severity: normal > > While creating a local bpo of devscripts 2.23.6 I noticed many > warnings like this: > > gpg: WARNING: "--secret-keyring" is an obsolete option - it has no effect > > in the build log. They are also visible on autobuilders
I noticed these warnings in Salsa's CI too, so did a bit of digging. https://dev.gnupg.org/T2749 "gpg --secret-keyring is silently ignored" Caused the issue to no longer be *silently* ignored, hence the warning. Later in that bug report was a mention to the GnuPG 2.1 release notes: https://www.gnupg.org/download/release_notes.html#gnupg-2.1.0 which is a massive list, but this page is more useful: https://www.gnupg.org/faq/whats-new-in-2.1.html and then especially: https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring Quoting some relevant parts: gpg used to keep the public key pairs in two files: pubring.gpg and secring.gpg. The only difference is that secring stored in addition to the public part also the private part of the key pair. The secret keyring thus contained only the keys for which a private key is available, that is the user’s key. The design of GnuPG-2 demands that only the gpg-agent has control over the private parts of the keys ... With GnuPG 2.1 this changed and gpg now also delegates all private key operations to the gpg-agent. Thus there is no more code in the gpg binary for handling private keys. The commit which now trigger that gpg warning was: e841bf5ba5b8 ("test_uscan_mangle: test signature") But unfortunately it doesn't describe what it intended to do with those test, which may be needed in order to (properly) rewrite that test code. I don't know how to fix it, but hopefully this additional info is still useful. Cheers, Diederik
signature.asc
Description: PGP signature
