Hi!
On Tue, 2025-05-20 at 14:52:59 +0300, Martin-Éric Racine wrote:
> ti 20.5.2025 klo 14.30 Guillem Jover ([email protected]) kirjoitti:
> > On Tue, 2025-05-20 at 13:33:58 +0300, Martin-Éric Racine wrote:
> > > Package: dpkg-dev
> > > Version: 1.22.19
> > > Severity: normal
> > > X-Debbugs-Cc: [email protected]
> > > I cannot help but wonder why 'sqv' insists on getting told which
> > > keyring to use. gpgv was perfectly capable of using all available
> > > keyrings.
> >
> > Hmm, I'm not sure I understand this comment. gpgv has always also
> > being passed the required Debian keyrings to verify stuff, but the
> > difference is that we need to create a temporary home directory
> > and for gpgv we always touch the trustedkeys.gpg keyring which is
> > what the tool falls back to if there is no other keyring specified.
> > Which it still then will fail verify.
>
> gpgv never had difficulties verifying the signature....
> > > Anyhow, until this has been fixed, the primary signature verification
> > > method fails on Trixie.
> >
> > The dpkg code will detect all the OpenPGP backends it supports, from
> > any SOP/SOPV implementation, then sq/sqv and finally gpg/gpgv. But they
> > all will fail in some way or another due to…
> >
> > > Versions of packages dpkg-dev suggests:
> > > pn debian-keyring <none>
> > > pn debian-tag2upload-keyring <none>
> >
> > … this.
>
> ... even without these, but sqv does.
>
> As far as I can tell, the key issue is that gpgv knows about the
> user's personal keyring (which, in my case, has the key of many DD/DM,
> as a result of previous key signing parties) as well as system
> keyrings, while sqv seemingly doesn't.
Sorry that I was not more clear. When verifying signatures using any of
the GnuPG implementation commands (gpg or gpgv), we never use the user
home directory (and neither its pubring.{pgp,kbx} keyrings), the only
thing from the GnuPG home directory we try to use is the
~/.gnupg/trustedkeys.{gpg,kbx} keyring if present, but those do not get
automatically populated by gpg (AFAIR). So I'm assuming you might
have added your own certificate there (and perhaps a select few?), and
if so that would mean you would not be able to verify other source
packages that are signed by other people.
And TBH, when I started to add the OpenPGP multi-backend support in
dpkg 1.21.x, I already was considering that using the trustedkeys
keyrings with GnuPG tools was probably not a very good idea, because
it could give different results depending on the backend used. So I
might consider deprecating its usage perhaps.
Thanks,
Guillem
