Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: r...@debian.org
Dear FTP-Master team,
I've run into a problem with package upload and would appreciate your help.
```
@ dupload bpfcc_0.31.0+ds-5_source.changes
dupload note: no announcement will be sent.
Checking OpenPGP signatures on bpfcc_0.31.0+ds-5_source.changes...
Using keyring: /usr/share/keyrings/debian-keyring.gpg
Using keyring: /usr/share/keyrings/debian-nonupload.gpg
Using keyring: /usr/share/keyrings/debian-maintainers.gpg
Signing key on 43DEF582F9E67111CE008917F2F11C23F00A2BE6 is not bound:
Error: Policy rejected non-revocation signature (SubkeyBinding) requiring
second pre-image resistance
because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
0 authenticated signatures, 1 bad key.
Error: Verification failed: could not authenticate any signatures
openpgp-check: error: cannot verify OpenPGP signature for
bpfcc_0.31.0+ds-5_source.changes: no acceptable signature found
dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed for
bpfcc_0.31.0+ds-5_source.changes
```
This is the initial problem where it reported that my GPG key has SHA1
signatures. And dupload was strict engouh
to not allow the upload.
I then fixed my keys, and --send-keys to the usualy key servers as well.
```
@ gpg --export F00A2BE6 | sq cert lint
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
0 of the 1 certificates (0%) have at least one issue. (GOOD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the
certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
0 have at least one User ID protected by SHA-1. (GOOD)
0 have all User IDs protected by SHA-1. (GOOD)
1 of the non-revoked linted certificates has at least one non-revoked, live
subkey:
0 have at least one non-revoked, live subkey with a binding signature that
uses SHA-1. (GOOD)
1 of the non-revoked linted certificates has at least one non-revoked, live,
signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey
with a strong binding signature, but a backsig that uses SHA-1. (GOOD)
```
Post that, I signed my keys again and uploaded with dupload. But dupload
complain with the same error.
I guess that is becuase my new updated keys aren't in the Debian Keyring.
So I worked around dupload by dropping the hook.
```
@ dupload --skip-hooks openpgp-check bpfcc_0.31.0+ds-5_source.changes
dupload note: no announcement will be sent.
dupload: warning: skipping pre-upload changes hook
/usr/share/dupload/openpgp-check %1
Checking Debian transitions for bpfcc...
Ok, not found in any.
Uploading (scpb) to ssh.upload.debian.org:/srv/upload.debian.org/UploadQueue/
[ Preparing job bpfcc_0.31.0+ds-5_source from bpfcc_0.31.0+ds-5_source.changes
bpfcc_0.31.0+ds-5.debian.tar.xz, size ok, md5sum ok, sha1sum ok, sha256sum ok
bpfcc_0.31.0+ds-5.dsc, size ok, md5sum ok, sha1sum ok, sha256sum ok
bpfcc_0.31.0+ds-5_source.buildinfo, size ok, md5sum ok, sha1sum ok, sha256sum
ok
bpfcc_0.31.0+ds-5_source.changes ok ]
Uploading (scpb) to debian-ssh (ssh.upload.debian.org)
[ Uploading job bpfcc_0.31.0+ds-5_source
bpfcc_0.31.0+ds-5.debian.tar.xz 22.5 kB, uploading
bpfcc_0.31.0+ds-5.dsc 2.8 kB, uploading
bpfcc_0.31.0+ds-5_source.buildinfo 9.3 kB, uploading
bpfcc_0.31.0+ds-5_source.changes 2.2 kB, uploading
]
Next Debian dinstall run is at: Tue Mar 18 19:22:00 2025
```
But that didn't work either. And the ftp-master tooling doesn't give any hint
of it. accepted/rejected ?
Like we usually get when a package is rejected.
Chris Hofstadetler was kind enough to do a brief investigation and educate me
of the cause:
```
I can see this on usper.d.o:
| Mar 18 10:47:10 processing /bpfcc_0.31.0+ds-5_source.changes
| Mar 18 10:47:10 GnuPG signature check failed on
bpfcc_0.31.0+ds-5_source.changes
| Mar 18 10:47:10 (Exit status 2)
| Mar 18 10:47:10 /bpfcc_0.31.0+ds-5_source.changes has bad PGP/GnuPG signature!
| Mar 18 10:47:10 Removing /bpfcc_0.31.0+ds-5_source.changes, but keeping its
associated files for now.
```
I'd have saved myself much time, had this information reached out to me
directly.
Last month, I uploaded `apt-offline` just fine, with the same gpg keys.
So something changed in the last month or so.
I believe I've fixed my keys and pushed them back to the key servers. I'd like
to upload
the `bpfcc-tools` package to the archive before the freeze is fully in effect.
Thus this email
and a request to help.
Thanks,
Ritesh
