Hi! On Thu, 2020-10-15 at 11:40:59 -0400, Daniel Kahn Gillmor wrote: > On Sat 2020-09-05 17:09:06 +0200, Guillem Jover wrote: > > I was trying out sqv, to potentially add native support for it into > > dpkg-dev, but either it does not work as expected or I'm confused by > > the docs. :) > > > > $ apt source libbsd > > $ sqv -v --keyring libbsd-0.10.0/debian/upstream/signing-key.asc \ > > libbsd_0.10.0.orig.tar.xz.asc libbsd_0.10.0.orig.tar.xz > > Missing key 4F3E74F436050C10F5696574B972BF3EA4AE57A3, which is needed to > > verify signature. > > 0 of 1 signatures are valid (threshold is: 1). > > $ sqv -v --keyring /usr/share/keyrings/debian-keyring.gpg \ > > libbsd_0.10.0.orig.tar.xz.asc libbsd_0.10.0.orig.tar.xz > > 4F3E74F436050C10F5696574B972BF3EA4AE57A3 > > 1 of 1 signatures are valid (threshold is: 1). > > I forwarded this to upstream at > https://gitlab.com/sequoia-pgp/sequoia/-/issues/585, and Justus there > suggests that the problem is that the OpenPGP certificate in > libbsd-0.10.0/debian/upstream/signing-key.asc is not up-to-date. With a > refreshed version of the certificate, it appears to work.
I was also embarrassed for a moment, :) then realized this should have failed with GnuPG, and rechecking the signing-key.asc recalled it contains the two certificates concatenated one after the other, which GnuPG seems to be able to import correctly. > So i don't think this is a bug in sqv, and i'm closing the ticket. Feel > free to reopen if you think that there is still a problem! I guess that depends on whether sqv is supposed to support concatenated certificates, or whether they need to be in a single ASCII armored block? I'm not sure how prevalent this is in the archive, but I expect other instances to exist there. ISTR concatenation being documented somewhere as a way to add new certificates. Thanks, Guillem
