Bug#1127655: uscan: uses only first GPG key from signing-key.asc

Wed, 11 Feb 2026 00:57:17 -0800 

Package: devscripts
Version: 2.26.5
Severity: normal


Dear Maintainer,

uscan uses only first public-key from debian/upstream/signing-key.asc,
even if the file contains more public-keys.

For example `nginx` signs several maintainers.
And when trying upgrade from 1.28.1 -> 1.28.2:

~~
uscan
Newest version of nginx on remote site is 1.28.2, local version is 1.28.1
 => Newer package available from:
        => https://nginx.org/download/nginx-1.28.2.tar.gz
ERROR:root:SOP Error NO_SIGNATURE (3): No Valid Signature found
uscan: error: sopv verify ../nginx-1.28.2.tar.gz.asc 
debian/upstream/signing-key.asc subprocess failed with exit status 3
~~

Fails even if signing-key.asc contains public-keys of all mainatainers.

~~
# nginx-1.28.1 (signed by Sergey Kandaurov’s PGP public key)
curl https://nginx.org/keys/pluknet.key > pluknet.key
curl https://nginx.org/download/nginx-1.28.1.tar.gz > nginx-1.28.1.tar.gz
curl https://nginx.org/download/nginx-1.28.1.tar.gz.asc > 
nginx-1.28.1.tar.gz.asc
sopv-gpgv verify nginx-1.28.1.tar.gz.asc pluknet.key < nginx-1.28.1.tar.gz

2025-12-23T18:12:53Z D6786CE303D9A9022998DC6CC8464D549AF75C0A 
D6786CE303D9A9022998DC6CC8464D549AF75C0A mode:binary

# nginx-1.28.2 (signed by Roman Arutyunyan’s PGP public key)
curl https://nginx.org/download/nginx-1.28.2.tar.gz > nginx-1.28.2.tar.gz
curl https://nginx.org/download/nginx-1.28.2.tar.gz.asc > 
nginx-1.28.2.tar.gz.asc
sopv-gpgv verify nginx-1.28.2.tar.gz.asc arut.key  < nginx-1.28.2.tar.gz

2026-02-04T17:02:45Z 43387825DDB1BB97EC36BA5D007C8D7C15D87369 
43387825DDB1BB97EC36BA5D007C8D7C15D87369 mode:binary
~~


The problem looks in using the sopv-gpgv utility,
which can use multiple public-keys, but
each public key must be specified as a separate file.

~~
sopv-gpgv verify nginx-1.28.2.tar.gz.asc pluknet.key arut.key  < 
nginx-1.28.2.tar.gz
2026-02-04T17:02:45Z 43387825DDB1BB97EC36BA5D007C8D7C15D87369 
43387825DDB1BB97EC36BA5D007C8D7C15D87369 mode:binary
sopv-gpgv verify nginx-1.28.2.tar.gz.asc arut.key pluknet.key  < 
nginx-1.28.2.tar.gz
2026-02-04T17:02:45Z 43387825DDB1BB97EC36BA5D007C8D7C15D87369 
43387825DDB1BB97EC36BA5D007C8D7C15D87369 mode:binary
~~

bundle:
~~
cat pluknet.key arut.key > pluknet-arut.key
sopv-gpgv verify nginx-1.28.2.tar.gz.asc pluknet-arut.key  < nginx-1.28.2.tar.gz
ERROR:root:SOP Error NO_SIGNATURE (3): No Valid Signature found
~~


For uscan to accept all keys, it looks like
that the use of the `sopv-gpgv' command will have to be changed.

1. either split the signing-key.asc into several files
2. or switch to signing-key.d/ directory, where there will be individual public 
keys

Jan

Reply via email to