Bug#872525: [pkg-gnupg-maint] Bug#872525: debian-archive-keyring FTBFS with gnupg 2.1.23

Fri, 18 Aug 2017 13:42:49 -0700 

[CC += 870780]

On Fri, 2017-08-18 at 03:46 -0400, Daniel Kahn Gillmor wrote:
> On Fri 2017-08-18 10:02:49 +0300, Adrian Bunk wrote:
> > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/debian-archive-keyring.html
> >
> > ...
> > gpg --no-options --no-default-keyring --no-auto-check-trustdb 
> > --trustdb-name ./trustdb.gpg \
> >     --keyring keyrings/team-members.gpg --verify \
> >     keyrings/debian-archive-keyring.gpg.asc \
> >     keyrings/debian-archive-keyring.gpg
> > gpg: Signature made Thu May 25 06:30:03 2017 -12
> > gpg:                using RSA key C5CE5DC2C542CD59
> > gpg: BAD signature from "Adam D. Barratt <a...@adam-barratt.org.uk>" 
> > [unknown]
[...]
> The difference between the keyrings is the trust packets:
[...]
> This is happening because of a combination of several factors:
> 
> One of them is https://bugs.debian.org/870780 -- the
> debian-archive-keyring really shouldn't have OpenPGP trust packets in it
> in the first place.  Those are deliberately underspecified and
> vendor-specific:
[...]
> The larger problem here is that jetring (and debian-archive-keyring, and
> anything else which uses jetring) seems to assume some things about what
> GnuPG does with the contents of ~/.gnupg.
[...]
> If #870780 was resolved (perhaps by fixing jetring to use GnuPG's
> external interfaces?) and a new debian-archive-keyring.gpg.asc was
> created by Adam (or some other member of the team) then i think this
> problem would go away.

As discussed on IRC, I think the fundamental fix here needs to be in
jetring. In the short term, however, we could resolve the issue in d-a-k
in one of two ways.

1. Have the rules that generate the keyrings clean them afterwards. For
example, changing:

keyrings/debian-archive-keyring.gpg: active-keys/index
        jetring-build -I $@ active-keys

to

keyrings/debian-archive-keyring.gpg: active-keys/index
        jetring-build -I $@ active-keys
        gpg --import-options import-export --import < $@ > $@.tmp
        mv -f $@.tmp $@

and similarly for the removed keyring. (and maybe for the trusted.gpg.d
files as well?)

2. Add the manual equivalent of the above to the "pre-build" section of
README.maintainer, leaving the package creating crufty files and the
responsibility of cleaning them up resting with the person generating
the package.

Particularly if we want/need to clean up the trusted.gpg.d files as
well, I'm inclined towards option 1, even if it does mean a small bit of
repetition in the makefile.

Regards,

Adam

Reply via email to