Howdy! ti 20.5.2025 klo 14.30 Guillem Jover ([email protected]) kirjoitti: > On Tue, 2025-05-20 at 13:33:58 +0300, Martin-Éric Racine wrote: > > Package: dpkg-dev > > Version: 1.22.19 > > Severity: normal > > X-Debbugs-Cc: [email protected] > > > Now that APT pulls 'sqv' in, dpkg-source seemingly no longer knows how to > > check signatures: > > > -------------------------------------------------- > > $ dpkg-source -x ~/Projects/Salsa/upgrade-system_1.9.8.dsc > > error: the following required arguments were not provided: > > --keyring <FILE> > > > > Usage: sqv --keyring <FILE> --cleartext --output <FILE> <FILE> > > > > For more information, try '--help'. > > dpkg-source: warning: cannot verify inline signature for > > /home/perkelix/Projects/Salsa/upgrade-system_1.9.8.dsc: no acceptable > > signature found > > dpkg-source: info: extracting upgrade-system in upgrade-system-1.9.8 > > dpkg-source: info: unpacking upgrade-system_1.9.8.tar.xz > > -------------------------------------------------- > > This is mostly a UI kind of issue, where dpkg-source should not be > calling sqv (or sq), when the needed keyrings are not present on disk, > otherwise we get this kind of alarming/distracting error message from > the tool. But even then, the effect would be the same, dpkg-source > would not be able to verify the signature.
See below. > > I cannot help but wonder why 'sqv' insists on getting told which > > keyring to use. gpgv was perfectly capable of using all available > > keyrings. > > Hmm, I'm not sure I understand this comment. gpgv has always also > being passed the required Debian keyrings to verify stuff, but the > difference is that we need to create a temporary home directory > and for gpgv we always touch the trustedkeys.gpg keyring which is > what the tool falls back to if there is no other keyring specified. > Which it still then will fail verify. gpgv never had difficulties verifying the signature.... > > Anyhow, until this has been fixed, the primary signature verification > > method fails on Trixie. > > The dpkg code will detect all the OpenPGP backends it supports, from > any SOP/SOPV implementation, then sq/sqv and finally gpg/gpgv. But they > all will fail in some way or another due to… > > > Versions of packages dpkg-dev suggests: > > pn debian-keyring <none> > > pn debian-tag2upload-keyring <none> > > … this. ... even without these, but sqv does. As far as I can tell, the key issue is that gpgv knows about the user's personal keyring (which, in my case, has the key of many DD/DM, as a result of previous key signing parties) as well as system keyrings, while sqv seemingly doesn't. > I'll prepare a change to improve the error handling/reporting though. Thanks! Martin-Éric
