Hi Yadd, On Sat, Aug 23, 2025 at 02:41:55PM +0200, Yadd wrote: > Control: tags -1 + help > > Hi, > > I tried to build a test to reproduce CVE-2025-8454 but for now I didn't > succeed: uscan checked signatures. Can someone help here ? > > The MR is https://salsa.debian.org/debian/devscripts/-/merge_requests/552
how about putting a 'fake' (i.e. simulating the previous run which had either an error or did now verify the signature, because e.g. sequoia was used, and upstream still relies on SHA1 signatures), in that location then re-run uscan as described, so mostly replicating what Uwe did in https://bugs.debian.org/1109251#5 (note it is not a sopv problem here). "uscan warn: File already downloaded, skipping OpenPGP verification" is not enough in this case when --skip-signature is not passed. Does this help for developing a testcase? Regards, Salvatore
