Package: gpg Version: 2.2.40-1.1+b1 Severity: normal Affects: libmodule-signature-perl
The --keyserver-options=auto-key-retrieve option does not work. It is described as an obsolete alias for the option auto-key-retrieve, but it is still documented, so that it is still expected to be supported. Note that it is still used by libmodule-signature-perl. The test I did: zira:~> MODULE_SIGNATURE_VERBOSE=1 MODULE_SIGNATURE_KEYSERVER=pgpkeys.eu cpan -i XML::RPC Reading '/home/vinc17/.cpan/Metadata' Database was generated on Thu, 11 Jan 2024 22:41:02 GMT Running install for module 'XML::RPC' CPAN: Digest::SHA loaded ok (v6.04) CPAN: Module::Signature loaded ok (v0.88) Executing gpg/--verify/--batch/--no-tty/--keyserver=hkp://pgpkeys.eu:11371/--keyserver-options=auto-key-retrieve//tmp/E4jnBjTWP8 gpg: Signature made 2023-12-17T16:29:09 CET gpg: using RSA key 77576125A905F1BA gpg: Can't check signature: No public key Signature invalid for file /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS. Please investigate. [...] zira:~[2]> gpg --keyserver pgpkeys.eu --recv-keys 77576125A905F1BA gpg: key 328DA867450F89EC: 13 duplicate signatures removed gpg: key 328DA867450F89EC: "PAUSE Batch Signing Key 2024 <[email protected]>" 1 new user ID gpg: key 328DA867450F89EC: "PAUSE Batch Signing Key 2024 <[email protected]>" 14 new signatures gpg: key 328DA867450F89EC: "PAUSE Batch Signing Key 2024 <[email protected]>" 2 new subkeys gpg: Total number processed: 1 gpg: new user IDs: 1 gpg: new subkeys: 2 gpg: new signatures: 14 zira:~> MODULE_SIGNATURE_VERBOSE=1 MODULE_SIGNATURE_KEYSERVER=pgpkeys.eu cpan -i XML::RPC Reading '/home/vinc17/.cpan/Metadata' Database was generated on Thu, 11 Jan 2024 22:41:02 GMT Running install for module 'XML::RPC' CPAN: Digest::SHA loaded ok (v6.04) CPAN: Module::Signature loaded ok (v0.88) Executing gpg/--verify/--batch/--no-tty/--keyserver=hkp://pgpkeys.eu:11371/--keyserver-options=auto-key-retrieve//tmp/TMJRFmY_zR gpg: Signature made 2023-12-17T16:29:09 CET gpg: using RSA key 77576125A905F1BA gpg: Good signature from "PAUSE Batch Signing Key 2024 <[email protected]>" [unknown] [...] In summary, the public key was missing and wasn't retrieved automatically, even though --keyserver-options=auto-key-retrieve was used. Then I retrieved the key explicitly with --recv-keys and using the same keyserver, which succeeded, and the signature could be verified. -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-5-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gpg depends on: ii gpgconf 2.2.40-1.1+b1 ii libassuan0 2.5.6-1 ii libbz2-1.0 1.0.8-5+b2 ii libc6 2.37-13 ii libgcrypt20 1.10.3-2 ii libgpg-error0 1.47-3 ii libreadline8 8.2-3 ii libsqlite3-0 3.44.2-1 ii zlib1g 1:1.3.dfsg-3 Versions of packages gpg recommends: ii gnupg 2.2.40-1.1 gpg suggests no packages. -- no debconf information -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
