Package: dpkg-dev
Version: 1.15.2
Severity: normal
Hi, I'm not on official keyrings and I'm packaging a piece of software. For my
packages the verification which dpkg-source -x fails:
$ dpkg-source -x subtitlecomposer_0.5.2-1.dsc
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on
./subtitlecomposer_0.5.2-1.dsc
dpkg-source: info: extracting subtitlecomposer in subtitlecomposer-0.5.2
dpkg-source: info: unpacking subtitlecomposer_0.5.2.orig.tar.gz
dpkg-source: info: applying subtitlecomposer_0.5.2-1.diff.gz
So, I checked what gpgv does:
$ gpgv subtitlecomposer_0.5.2-1.dsc
gpgv: keyblock resource `/home/santa/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Can't check signature: public key not found
Then, I created the trustedkeys.gpg keyring with mi sign included:
$ gpg --no-default-keyring --keyring trustedkeys.gpg --recv-keys 5f99c10f
gpg: keyring `/home/santa/.gnupg/trustedkeys.gpg' created
gpg: requesting key 5F99C10F from hkp server wwwkeys.eu.pgp.net
gpg: key 5F99C10F: public key "José Manuel Santamaría Lema
<panfa...@gmail.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
Then gpgv works:
$ gpgv subtitlecomposer_0.5.2-1.dsc
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Good signature from "José Manuel Santamaría Lema <panfa...@gmail.com>
But dpkg-source doesn't, so, I checked what dscverify does:
$ dscverify subtitlecomposer_0.5.2-1.dsc
subtitlecomposer_0.5.2-1.dsc:
dscverify: subtitlecomposer_0.5.2-1.dsc failed signature check:
gpg: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpg: Can't check signature: public key not found
Validation FAILED!!
After reding the dscverify and devscripts.conf manpages I addes this line to
/etc/devscripts.conf:
DSCVERIFY_KEYRINGS="trustedkeys.gpg"
Executing dscverify again, it works:
$ dscverify subtitlecomposer_0.5.2-1.dsc
subtitlecomposer_0.5.2-1.dsc:
Good signature found
validating subtitlecomposer_0.5.2.orig.tar.gz
validating subtitlecomposer_0.5.2-1.diff.gz
All files validated successfully.
However dpkg-source was still failing to verify my sign. Furthermore dpkg-
source manpage says:
>--require-valid-signature
>Refuse to unpack the source package if it doesn’t contain an OpenPGP
>signature that can be verified either with the user’s trusted‐keys.gpg
>keyring, one of the vendor-specific keyrings, or one of the official Debian
>keyrings (/usr/share/keyrings/debian-keyring.gpg and
>/usr/share/keyrings/debian-maintainers.gpg).
The name for the ring is trustedkeys.gpg instead of trusted-keys.gpg, I guess
it's a typo, however, even creating trusted-keys.gpg dpkg-source -x does not
work properly.
Of course adding --require-valid-signature result in dpkg-source refusing to
unpack the source package. But I'm on trustedkeys.gpg.
By the way, lintian has a similar bug, see:
http://lists.debian.org/debian-mentors/2009/05/msg00602.html
