On Fri, 2016-03-25 at 09:54 +0100, Georges Khaznadar wrote:
[...]
> I got the notifications for uploads:
> - auto-multiple-choice just before the 19th March
> - wxglade the 24th March (I kept the message, id=E1aj1ok-0005lP-
> [email protected])
> 
> However I never received e-mails about their acceptation (nor refusal) in
> Unstable.
> 
> ----
> 
> Here are possible clues:
> I verified that I own two keys in debian-keyring:

No, only one of those is in the keyring.

> - id 1024D/11691130
> - id 4096R/7136AE39

adam@jacala:~$ gpg --no-default-keyring --keyserver keyring.debian.org 
--recv-keys 11691130
gpg: requesting key 11691130 from hkp server keyring.debian.org
gpgkeys: key 11691130 can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

adsb@franck:~$ gpg --no-default-keyring --keyring 
/srv/keyring.debian.org/keyrings/debian-keyring.gpg --list-keys 11691130
gpg: error reading key: public key not found

> The first key is now considered too weak and should be removed; I use the
> second one to sign my packages. A possible explanation of failures may be the
> fact that the first key was expired before the begin of March (I renewed its
> validity for two years a few days ago).

You mean the second key:

adsb@franck:~$ gpg --no-default-keyring --keyring 
/srv/keyring.debian.org/keyrings/debian-keyring.gpg --list-keys 7136AE39
pub   4096R/7136AE39 2010-09-17 [expired: 2016-03-05]
uid                  Georges Khaznadar <[email protected]>
uid                  Georges Khaznadar <[email protected]>
uid                  Georges Khaznadar <[email protected]>
uid                  [jpeg image of size 699]

> ----
> 
> Here are my questions:
> - is it possible that some package upload gets a refusal because of an issue
> with a GPG key not used to sign it?

No. The issue is with the key that *was* used to sign it.

adsb@franck:~$ gpg --no-default-keyring --keyring 
/srv/keyring.debian.org/keyrings/debian-keyring.gpg --verify 
queue/unchecked/auto-multiple-choice_1.3.0-1.dsc 
gpg: Signature made Wed 16 Mar 2016 14:20:31 UTC using RSA key ID 7136AE39
gpg: Good signature from "Georges Khaznadar <[email protected]>"
gpg:                 aka "Georges Khaznadar <[email protected]>"
gpg:                 aka "Georges Khaznadar <[email protected]>"
gpg:                 aka "[jpeg image of size 699]"
gpg: Note: This key has expired!
Primary key fingerprint: 3340 B364 FF67 153F B7CC  AE85 1C28 1690 7136 AE39

dak has a known issue in such circumstances where it will fail to accept
the upload due to the broken signature but also not reject it. An
ftp-master needs to manually remove the files from the unchecked queue.

> - should the debian keyring keep useless 1024 bit GPG keys?

That's not a question for the FTP team. Your 1024-bit key isn't in the
keyring, however, so that's a rather academic question.

> - how can I ask help from you to restore my access, and be able to upload
> packages? I currently maintain 60 of them, and there are simple issues pending
> about four of them, which I would like to manage not too late.

a) ensure that you have pushed the 4096 key with updated expiry date to
keyring.debian.org

b) wait for the next time the keyring maintainers import updated keys
(usually about once a month)

Regards,

Adam

Reply via email to