Control: forwarded -1 https://github.com/ostreedev/ostree/issues/3386 Control: tags -1 + upstream help
On Wed, 26 Feb 2025 at 15:44:37 +0100, Andreas Metzler wrote: > ostree throws a testsuite error against gpg 2.4.7-5: > > FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key - > OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key: > 'key_expired' should be TRUE I've sent more analysis to upstream issue report https://github.com/ostreedev/ostree/issues/3386. The tl;dr version is that libostree is testing its own ability to verify GPG signatures by inspecting commits that were signed by keys that are intentionally bad in various ways (expired, revoked, etc.), and asserting that it sees the expected error code/message from libgpgme. With the new gnupg2, in several situations it seems that it reports a missing key (GPGME_SIGSUM_KEY_MISSING, OSTREE_GPG_ERROR_MISSING_KEY, "Can't check signature: public key not found") instead of the more specific error code that was previously seen. > Ostree's autopkgtest throws more errors, which I do not see on a local > rebuild in sid chroot. I think this is probably just because the build-time tests are failing as soon as a failure has been recorded, whereas the autopkgtest runs all test-cases even if one of them already failed; so you might be seeing failures in the autopkgtest for things that the build-time test never got as far as even attempting. The other failures in the autopkgtest seem to be: > 264s File 'err.txt' doesn't match regexp 'Key expired' > 325s File 'test2-show' matches regexp 'public key not found' which seem like the same class of failure: libostree's command-line interface is not outputting "Key expired" when it was expected to, and it is outputting "public key not found" when it was not expected to. That seems consistent with gpg reporting "public key not found" more often. I would appreciate it if someone who knows GPG better than I do could help upstream to understand whether this is a gpg regression, or libostree or its test suite using gpg wrong in a way that was not previously diagnosed, or something else. smcv
