Package: apt Version: 2.9.15 Severity: serious Justification: I pondered initially on important, but given that this is a regression that prevents repo usage, it seems worth serious to me.
Hi! The latest release made some repos stop working as apt is now refusing to use the specified keyring when it ends in «.pgp». ,--- … Err:4 https://…/… … InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY … … Warning: https://…/…/InRelease: The key(s) in the keyring /usr/share/keyrings/….pgp are ignored as the file has an unsupported filetype. Warning: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://…/… … InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY … Warning: Failed to fetch https://…/…/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY … Warning: Some index files failed to download. They have been ignored, or old ones used instead. `--- Enforcing «.gpg» (and «.asc») as the only allowed extensions seems wrong, because «.gpg» is an implementation specific name, which does not match the standard (OpenPGP) this is based on, where the more neutral name to use is «.pgp». So either «.pgp» should be explicitly allowed or the extension and format checks should be removed, as the OpenPGP implementation in use should be able to reject unknown keyrings. Ideally «.pgp» would be allowed everywhere currently expecting «.gpg», including say «Release.gpg» (even if that's considered deprecated). And apt would encourage to use the vendor-neutral extension. There's also a lintian tag prodding keyring providers to use the neutral extension: https://udd.debian.org/lintian-tag/openpgp-file-has-implementation-specific-extension Thanks, Guillem
