ti 20.5.2025 klo 15.07 Guillem Jover (guil...@debian.org) kirjoitti:
> On Tue, 2025-05-20 at 14:52:59 +0300, Martin-Éric Racine wrote:
> > ti 20.5.2025 klo 14.30 Guillem Jover (guil...@debian.org) kirjoitti:
> > > On Tue, 2025-05-20 at 13:33:58 +0300, Martin-Éric Racine wrote:
> > > > Package: dpkg-dev
> > > > Version: 1.22.19
> > > > Severity: normal
> > > > X-Debbugs-Cc: martin-eric.rac...@iki.fi
>
> > > > I cannot help but wonder why 'sqv' insists on getting told which
> > > > keyring to use. gpgv was perfectly capable of using all available
> > > > keyrings.
> > >
> > > Hmm, I'm not sure I understand this comment. gpgv has always also
> > > being passed the required Debian keyrings to verify stuff, but the
> > > difference is that we need to create a temporary home directory
> > > and for gpgv we always touch the trustedkeys.gpg keyring which is
> > > what the tool falls back to if there is no other keyring specified.
> > > Which it still then will fail verify.
> >
> > gpgv never had difficulties verifying the signature....
>
> > > > Anyhow, until this has been fixed, the primary signature verification
> > > > method fails on Trixie.
> > >
> > > The dpkg code will detect all the OpenPGP backends it supports, from
> > > any SOP/SOPV implementation, then sq/sqv and finally gpg/gpgv. But they
> > > all will fail in some way or another due to…
> > >
> > > > Versions of packages dpkg-dev suggests:
> > > > pn debian-keyring <none>
> > > > pn debian-tag2upload-keyring <none>
> > >
> > > … this.
> >
> > ... even without these, but sqv does.
> >
> > As far as I can tell, the key issue is that gpgv knows about the
> > user's personal keyring (which, in my case, has the key of many DD/DM,
> > as a result of previous key signing parties) as well as system
> > keyrings, while sqv seemingly doesn't.
>
> Sorry that I was not more clear. When verifying signatures using any of
> the GnuPG implementation commands (gpg or gpgv), we never use the user
> home directory (and neither its pubring.{pgp,kbx} keyrings), the only
> thing from the GnuPG home directory we try to use is the
> ~/.gnupg/trustedkeys.{gpg,kbx} keyring if present, but those do not get
> automatically populated by gpg (AFAIR). So I'm assuming you might
> have added your own certificate there (and perhaps a select few?), and
> if so that would mean you would not be able to verify other source
> packages that are signed by other people.
I never said that they get automatically populated. I said that if the
key used to sign the package is present in ~/.gnupg/*, gpgv apparently
knows how to use it, while sqv seemingly doesn't.
FWIW, I purposely don't install debian-keyring, because the unpacked
file is huge, and gpgv knows how to source the key from ~/.gnupg/* as
needed.
Martin-Éric
