On Sun, Jun 07, 2026 at 09:35:09AM +0200, Michele Cane wrote:
> Package: hplip
> Version: 3.26.4+dfsg0-2
> Severity: important
> Followup-For: Bug #1137654
> 
> I can confirm that this is still reproducible with hplip 3.26.4+dfsg0-2,
> but the failure mode is clearer now.
> 
> The plugin metadata currently points to:
> 
>   
> http://www.openprinting.org/download/printdriver/auxfiles/HP/plugins/hplip-3.26.4-plugin.run
> 
> The downloaded file has the checksum listed in plugin.conf:
> 
>   199f78f8af7f36894d7180e9090963ce2550a75ec701f8a4ba37665a9746fdf0
> 
> So the file is not corrupted.  The verification failure happens because the
> current plugin is signed with HP's newer RSA key:
> 
>   primary fingerprint: 82FF A7C6 AA74 11D9 34BD E173 AC69 536A 2CF3 A243
>   signing subkey:      1E3D 9B4E 4447 5F51 EC08 45AB 5E4E 4D24 A34E CD57
> 
> The hplip package still ships/imports the older HPLIP DSA key:
> 
>   4ABA 2F66 DBD5 A958 9491 0E06 73D7 70CD A590 47B9
> 

Hi, thanks for the info.

It is not only about plugins but also about upgrades,

hplip.v2$ uscan --download-current-version
Newest version of hplip on remote site is 3.26.4, specified download version is 
3.26.4
gpgv: Signature made Wed May 20 07:22:15 2026 CEST
gpgv:                using RSA key 5E4E4D24A34ECD57
gpgv: Can't check signature: No public key
uscan die: OpenPGP signature did not verify. at 
/usr/share/perl5/Devscripts/Uscan/Output.pm line 83.


hplip.v2$ uscan --download-version 3.22.10
Newest version of hplip on remote site is 3.22.10, specified download version 
is 3.22.10
gpgv: Signature made Thu Oct 27 15:17:27 2022 CEST
gpgv:                using DSA key 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpgv: Good signature from "HPLIP (HP Linux Imaging and Printing) <[email protected]>"

So, Thorsten, seems that it is really needed to upgrade hplip gpg key
under debian/upstream/signing-key.asc (it is installed in the package
and apparently used to verify plugins).

While we are at this you may want to upgrade debian/watch to v5, see
attached watch file for a proposal.

Hope this helps,

-- 
Agustin
Version: 5

Source: https://sf.net/hplip/
Matching-Pattern: hplip-@ANY_VERSION@@ARCHIVE_EXT@
Dversion-Mangle: s/\+(dfsg|repack)([0-9]+)?$//
Uversion-Mangle: s/^(\S+py\d)/0.0.$1/;s/_/./g
Pgp-Sig-Url-Mangle: s/$/.asc/

Reply via email to