On Thu, Jan 22, 2026 at 06:28:22PM +0100, Sven Joachim wrote: > On 2026-01-21 18:15 -0500, Thomas Dickey wrote: > > > On Wed, Jan 21, 2026 at 02:58:36PM -0500, Thomas Dickey wrote: > >> On Wed, Jan 21, 2026 at 07:12:31PM +0100, Sven Joachim wrote: > >> > On 2026-01-20 14:58 -0500, Thomas Dickey wrote: > >> > > >> > > Now I updated > >> > > > >> > > https://invisible-island.net/public/[email protected] > >> > > > >> > > from the file which I generated on Saturday. > >> > > >> > Thanks. Unfortunately I ran into a new problem with this key, the sqv > >> > tool (which dpkg-source uses by default) complains about existing > >> > signatures: > >> > > >> > ,---- > >> > | $ wget -q > >> > https://invisible-mirror.net/archives/ncurses/current/tack-1.11-20251210.tgz > >> > | $ wget -q > >> > https://invisible-mirror.net/archives/ncurses/current/tack-1.11-20251210.tgz.asc > >> > | $ wget -q > >> > https://invisible-mirror.net/public/[email protected] > >> > > >> > | $ LANG=C sqv --keyring [email protected] > >> > tack-1.11-20251210.tgz.asc tack-1.11-20251210.tgz > >> > | Signing key on 19882D92DDA4C400C22C0D56CC2AF4472167BE03 is not bound: > >> > | No binding signature at time 2025-12-11T01:25:41Z > >> > | because: No binding signature at time 2025-12-11T01:25:41Z > >> > | $ echo $? > >> > | 1 > >> > `---- > >> > > >> > When I merge the expired key and the new one with "sq keyring merge", > >> > the complaints stop. > >> > > >> > Apparently this problem does not show up with gpg instead of sq/sqv, any > >> > ideas? > >> > >> no - I'm not familiar with sqv. Any clues would help. I'll read about it, > >> but as usual, there are distractions... > > > > I suppose gpg is able to see that the renewed key is a continuation of > > the expired key, but sq/sqv does not do that. > > > > Looking for differences/incompatibilities, I don't see much - > > > > https://forums.kicksecure.com/t/sequoia-pgp-gpg-replacement-openpgp/260/6 > > I think that is red herring. The issue here is that the key you put on > your homepage does not contain the old self-signed signature, but sqv/sq > requires it to be present. This has been discussed to some length at > https://gitlab.com/sequoia-pgp/sequoia/-/issues/1105. > > I do not know which tool and options you used when exporting your key, > but re-exporting it with "gpg --export-options no-export-clean" makes > sqv work.
I did this: gpg --armor --export 19882D92DDA4C400C22C0D56CC2AF4472167BE03 > [email protected] and renamed ".asc" to ".txt" for the webpage. I did overlook updating the webpage until you pointed it out, but the webpage has the export of the renewed key. (I think that having both the expired and the renewed dumps would be confusing) > > (presumably if I made another snapshot and signed that with the renewed > > key, sq/sqv would work) > > Almost surely, but no need for that. We will find out when you publish > the next ncurses patchlevel. :-) > > In the meantime I shall include both the old and the new signature in > debian/upstream/signing-key.asc, so that dpkg-source (when building the > current package) and uscan (when downloading a new version) are equally > happy. yes... I don't plan to make an update for tack right away, because I've other programs needing work. -- Thomas E. Dickey <[email protected]> https://invisible-island.net
signature.asc
Description: PGP signature
