Hi! On Fri, 2023-12-22 at 19:37:16 +0100, Aurelien Jarno wrote: > On 2023-12-22 19:23, Aurelien Jarno wrote: > > This also causes issues on the riscv64 build daemons running sid: > > > > | dupload exit status 9/0 > > | Removed to reupload later. > > | > > | Complete output from dupload: > > | > > | dupload note: no announcement will be sent. > > | Checking OpenPGP signatures before upload...gpgv: Signature made Fri Dec > > 22 18:06:16 2023 UTC > > | gpgv: using RSA key > > 670D3AC041E218107D0DE6F9339F749981589F2F > > | gpgv: Can't check signature: No public key > > | openpgp-check: error: cannot verify inline signature for > > emmax_0~beta.20100307-4_riscv64-buildd.changes: no acceptable signature > > found > > | > > | dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed > > for emmax_0~beta.20100307-4_riscv64-buildd.changes
Ouch, ok. > > On 2023-12-22 12:16, Guillem Jover wrote: > > > Just to understand what is going wrong, I assume you don't have the > > > debian-keyring package installed (where the signing certificate could > > > be found in the debian-keyring.gpg keyring), nor the certificate for > > > A401FF99368FA1F98152DE755C808C2B65558117 in ~/.gnupg/trustedkeys.gpg? > > > > For debian build daemons, it is not expected to have the keys in the > > debian-keyring.gpg file. The file ~/.gnupg/trustedkeys.gpg does not > > exist. > > > > > But gpg has it in its certificate store? > > > > Yes: > > > > buildd@rv-manda-01:~/.gnupg$ gpg -K > > /home/buildd/.gnupg/pubring.kbx > > ------------------------------- > > sec rsa4096 2023-12-08 [SC] [expire : 2024-12-07] > > 670D3AC041E218107D0DE6F9339F749981589F2F > > uid [ ultime ] buildd autosigning key rv-manda-01 > > <buildd_riscv64-rv-manda...@buildd.debian.org> > > It seems the decision to trust the key comes from ~/.gnupg/trustdb.gpg, > not from ~/.gnupg/trustedkeys.gpg. The trustedkeys.gpg is a keyring used mainly by gpgv (gpg does not use it by default, except that the dpkg code will feed it as an additional keyring if it is found. I'll prepare an upload right away and force the code to use gpg for now (as it was used before the recent upload, instead of trying gpgv, sqop, pgpainless-cli, or sq), until I've devised a better migration plan, or implemented enough configuration options for people to switch or use other OpenPGP backends when desired. Thanks, Guillem
