Hi! On Tue, 2025-05-20 at 13:33:58 +0300, Martin-Éric Racine wrote: > Package: dpkg-dev > Version: 1.22.19 > Severity: normal > X-Debbugs-Cc: [email protected]
> Now that APT pulls 'sqv' in, dpkg-source seemingly no longer knows how to > check signatures: > -------------------------------------------------- > $ dpkg-source -x ~/Projects/Salsa/upgrade-system_1.9.8.dsc > error: the following required arguments were not provided: > --keyring <FILE> > > Usage: sqv --keyring <FILE> --cleartext --output <FILE> <FILE> > > For more information, try '--help'. > dpkg-source: warning: cannot verify inline signature for > /home/perkelix/Projects/Salsa/upgrade-system_1.9.8.dsc: no acceptable > signature found > dpkg-source: info: extracting upgrade-system in upgrade-system-1.9.8 > dpkg-source: info: unpacking upgrade-system_1.9.8.tar.xz > -------------------------------------------------- This is mostly a UI kind of issue, where dpkg-source should not be calling sqv (or sq), when the needed keyrings are not present on disk, otherwise we get this kind of alarming/distracting error message from the tool. But even then, the effect would be the same, dpkg-source would not be able to verify the signature. > I cannot help but wonder why 'sqv' insists on getting told which > keyring to use. gpgv was perfectly capable of using all available > keyrings. Hmm, I'm not sure I understand this comment. gpgv has always also being passed the required Debian keyrings to verify stuff, but the difference is that we need to create a temporary home directory and for gpgv we always touch the trustedkeys.gpg keyring which is what the tool falls back to if there is no other keyring specified. Which it still then will fail verify. > Anyhow, until this has been fixed, the primary signature verification > method fails on Trixie. The dpkg code will detect all the OpenPGP backends it supports, from any SOP/SOPV implementation, then sq/sqv and finally gpg/gpgv. But they all will fail in some way or another due to… > Versions of packages dpkg-dev suggests: > pn debian-keyring <none> > pn debian-tag2upload-keyring <none> … this. I'll prepare a change to improve the error handling/reporting though. Thanks, Guillem
