Hi, sorry it took me a bit longer to verify this.
On Fri, Sep 24, 2021 at 11:02:55AM +0100, Nikolaus Rath wrote: > On Fri, 24 Sep 2021, at 11:00, Mattia Rizzolo wrote: > >> At first I thought that the upstream signature file was corrupted, but > >> it seems that gpgv can't deal with a the keyring if it is generated the > >> way that uscan(1) says it should be: > > > > I'll need to check your specifc case, but I can assure you that armored > > keys are very much fine and I'm using them all the time with uscan. > > > Thanks for the quick response. Let me know if I can help in any way - > I don't see myself doing anything special, just executing the commands > given in uscan(1) on a bullseye system (with devscripts installed from > unstable, just in case). I'm still convinced you did something weird. So I cloned your s3ql repo and % git checkout a8a5cd2633e372e238595004e92a6e93f94d6714^ % cd debian % mkdir upstream % mv upstream-signing-key.pgp upstream/signing-key.asc % .. % uscan uscan info: uscan (version 2.21.4) See uscan(1) for help uscan info: Scan watch files in . uscan info: Check debian/watch and debian/changelog in . uscan info: package="s3ql" version="3.7.0+dfsg-3" (as seen in debian/changelog) uscan info: package="s3ql" version="3.7.0+dfsg" (no epoch/revision) ... uscan: Newest version of s3ql on remote site is 3.7.3+dfsg, local version is 3.7.0+dfsg uscan: => Newer package available from: => https://github.com/s3ql/s3ql/releases/download/release-3.7.3/s3ql-3.7.3.tar.bz2 uscan info: Downloading upstream package: s3ql-3.7.3.tar.bz2 uscan info: Requesting URL: https://github.com/s3ql/s3ql/releases/download/release-3.7.3/s3ql-3.7.3.tar.bz2 uscan info: Successfully downloaded package: s3ql-3.7.3.tar.bz2 uscan info: Downloading OpenPGP signature from: https://github.com/s3ql/s3ql/releases/download/release-3.7.3/s3ql-3.7.3.tar.bz2.asc (pgpsigurlmangled) as s3ql-3.7.3.tar.bz2.asc uscan info: Requesting URL: https://github.com/s3ql/s3ql/releases/download/release-3.7.3/s3ql-3.7.3.tar.bz2.asc uscan info: Verifying OpenPGP signature ../s3ql-3.7.3.tar.bz2.asc for ../s3ql-3.7.3.tar.bz2 gpgv: Signature made Thu 03 Jun 2021 09:40:47 PM CEST gpgv: using RSA key ED31791B2C5C1613AF388B8AD113FCAC3C4E599F gpgv: Good signature from "Nikolaus Rath <nikol...@rath.org>" uscan info: New orig.tar.* tarball version (oversionmangled): 3.7.3+dfsg uscan info: Launch mk-origtargz with options: --package s3ql --version 3.7.3+dfsg --rename --signature 1 --signature-file ../s3ql-3.7.3.tar.bz2.asc --compression default --directory .. --copyright-file debian/copyright ../s3ql-3.7.3.tar.bz2 Skip adding upstream signature since upstream file is repacked. Successfully repacked ../s3ql-3.7.3.tar.bz2 as ../s3ql_3.7.3+dfsg.orig.tar.xz, deleting 108 files from it. uscan info: New orig.tar.* tarball version (after mk-origtargz): 3.7.3+dfsg uscan info: Scan finished I didn't even bother to export it anew, since what you have (although with a .pgp extension) already was armored. Anyway, since you are DM and I already have your key in my local copyof the keyring: % gpg --export --export-options export-minimal --armor nikol...@rath.org > debian/upstream/signing-key.asc % uscan -ddd [same result as above] (btw, you should use both `export-clean,export-minimal`, not just `export-minimal`). For you to try I pushed what works for me (once I got to this point, I'm not sure anymore why I checked branch aboveā¦) to a "test-uscan" branch of s3ql. In there `uscan -ddd` downloads and verify appropriately. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature