On 2026-01-21 18:15 -0500, Thomas Dickey wrote: > On Wed, Jan 21, 2026 at 02:58:36PM -0500, Thomas Dickey wrote: >> On Wed, Jan 21, 2026 at 07:12:31PM +0100, Sven Joachim wrote: >> > On 2026-01-20 14:58 -0500, Thomas Dickey wrote: >> > >> > > Now I updated >> > > >> > > https://invisible-island.net/public/[email protected] >> > > >> > > from the file which I generated on Saturday. >> > >> > Thanks. Unfortunately I ran into a new problem with this key, the sqv >> > tool (which dpkg-source uses by default) complains about existing >> > signatures: >> > >> > ,---- >> > | $ wget -q >> > https://invisible-mirror.net/archives/ncurses/current/tack-1.11-20251210.tgz >> > | $ wget -q >> > https://invisible-mirror.net/archives/ncurses/current/tack-1.11-20251210.tgz.asc >> > | $ wget -q >> > https://invisible-mirror.net/public/[email protected] >> > >> > | $ LANG=C sqv --keyring [email protected] >> > tack-1.11-20251210.tgz.asc tack-1.11-20251210.tgz >> > | Signing key on 19882D92DDA4C400C22C0D56CC2AF4472167BE03 is not bound: >> > | No binding signature at time 2025-12-11T01:25:41Z >> > | because: No binding signature at time 2025-12-11T01:25:41Z >> > | $ echo $? >> > | 1 >> > `---- >> > >> > When I merge the expired key and the new one with "sq keyring merge", >> > the complaints stop. >> > >> > Apparently this problem does not show up with gpg instead of sq/sqv, any >> > ideas? >> >> no - I'm not familiar with sqv. Any clues would help. I'll read about it, >> but as usual, there are distractions... > > I suppose gpg is able to see that the renewed key is a continuation of > the expired key, but sq/sqv does not do that. > > Looking for differences/incompatibilities, I don't see much - > > https://forums.kicksecure.com/t/sequoia-pgp-gpg-replacement-openpgp/260/6
I think that is red herring. The issue here is that the key you put on your homepage does not contain the old self-signed signature, but sqv/sq requires it to be present. This has been discussed to some length at https://gitlab.com/sequoia-pgp/sequoia/-/issues/1105. I do not know which tool and options you used when exporting your key, but re-exporting it with "gpg --export-options no-export-clean" makes sqv work. > (presumably if I made another snapshot and signed that with the renewed > key, sq/sqv would work) Almost surely, but no need for that. We will find out when you publish the next ncurses patchlevel. :-) In the meantime I shall include both the old and the new signature in debian/upstream/signing-key.asc, so that dpkg-source (when building the current package) and uscan (when downloading a new version) are equally happy. Cheers, Sven
