Bug#1118154: sqopv does not seem to support some signing keys

[Ben Hutchings]

To support the bug title, I did a comparison of the different OpenPGP
implementations for all the upstream signed tags for src:linux.

Git normally wants to run gpg and expects any alternative to implement
the same options and output format, so I implemented wrapper scripts to
make it work with the different verifier commands all using
debian/upstream/signing-key.asc as the keyring.

In this case the keyring contains:

pub   rsa4096/38DBBDC86092693E 2011-09-23 [SC]
      647F28654894E3BD457199BE38DBBDC86092693E
uid                 [ unknown] Greg Kroah-Hartman (Linux kernel stable release 
signing key) <g...@kroah.com>
sub   rsa4096/F38153E276D54749 2011-09-23 [E]

pub   rsa2048/79BE3E4300411886 2011-09-20 [SC]
      ABAF11C65A2970B130ABE3C479BE3E4300411886
uid                 [ unknown] Linus Torvalds <torva...@linux-foundation.org>
sub   rsa2048/88BCE80F012F54CA 2011-09-20 [E]

pub   rsa4096/E7BFC8EC95861109 2009-07-12 [SC]
      AC2B29BD34A6AFDDB3F68F35E7BFC8EC95861109
uid                 [ unknown] Ben Hutchings (DOB: 1977-01-11)
uid                 [ unknown] Ben Hutchings <b...@decadent.org.uk>
uid                 [ unknown] Ben Hutchings <b...@debian.org>
sub   rsa4096/CF0469521357C3D7 2009-07-12 [E]

pub   rsa4096/DEA66FF797772CDC 2012-02-09 [SC]
      E27E5D8A3403A2EF66873BBCDEA66FF797772CDC
uid                 [ unknown] Sasha Levin <sas...@kernel.org>
uid                 [ unknown] Sasha Levin <alexander.le...@microsoft.com>
uid                 [ unknown] Sasha Levin <alexander.le...@verizon.com>
uid                 [ unknown] Sasha Levin <sasha.le...@oracle.com>
sub   rsa4096/D0065D755EB09DBB 2012-02-09 [E]

The numbers of tags accepted per ID and verifier are:

ID                                               gpgv  rsopv  sqopv
-------------------------------------------------------------------
Greg Kroah-Hartman <gre...@linuxfoundation.org>  3683   3553      0
Greg Kroah-Hartman <gre...@suse.de>                36     36      0
Linus Torvalds <torva...@linux-foundation.org>    644    452      0
Ben Hutchings <b...@decadent.org.uk>               137    137     68
Sasha Levin <sas...@kernel.org>                    41     41     41
Sasha Levin <alexander.le...@microsoft.com>         4      4      4
Sasha Levin <alexander.le...@verizon.com>          27      0      0
Sasha Levin <sasha.le...@oracle.com>               39      0      0

There is already some disagreement between gpgv and rsopv, but the large
majority of tags are accepted by both.  But sqopv rejects *all*
signatures made by Greg or Linus, and by some of Sasha's IDs.  (It also
rejects some of mine, but it appears that those are all v3 signatures
which I don't care about.)

Ben.

-- 
Ben Hutchings
Any smoothly functioning technology is indistinguishable
from a rigged demo.

signature.asc
Description: This is a digitally signed message part