Hi, > > $ dpkg-source --version > > Debian dpkg-source version 1.22.21. > > $ dpkg-source --extract bpfcc_0.31.0+ds-7.dsc > > dpkg-source: warning: cannot verify inline signature for > > ./bpfcc_0.31.0+ds-7.dsc: no acceptable signature found > > dpkg-source: info: extracting bpfcc in bpfcc-0.31.0+ds > > dpkg-source: error: unpack target exists: bpfcc-0.31.0+ds > > In this case I assume you have another OpenPGP implementation installed > and do not have a SOP implementation around, and the code skips calling > the verification if there are no keyrings (probably sqv and no > sopv-gpgv?).
The above is from a plain debian:unstable container image with only `apt install -y dpkg-dev` run to be able to test the command, and seems your guess about what dependencies are pulled in by default is correct: # dpkg -l | grep -E "gpg|sqv|keyring" ii debian-archive-keyring 2025.1 all OpenPGP archive certificates of the Debian archive ii sqv 1.3.0-3 amd64 OpenPGP signature verification program from Sequoia > I improved this at the time in git and with no debian-keyring and with > a sopv implementation one gets the following instead: > > ,--- > $ dpkg-source --version > Debian dpkg-source version 1.22.19-165-g023ab. > $ dpkg-source: info: verifying ./bpfcc_0.31.0+ds-7.dsc > dpkg-source: info: skipping absent keyring > /usr/share/keyrings/debian-keyring.gpg > dpkg-source: info: skipping absent keyring > /usr/share/keyrings/debian-tag2upload.pgp > dpkg-source: info: skipping absent keyring > /usr/share/keyrings/debian-nonupload.gpg > dpkg-source: info: skipping absent keyring > /usr/share/keyrings/debian-maintainers.gpg > dpkg-source: warning: cannot verify inline signature for > ./bpfcc_0.31.0+ds-7.dsc: missing OpenPGP keyrings The above is very clear about what keys it was checking and what is missing, thanks! Thanks also for the explanations and pointing out that `--require-valid-signature` exists!
