Package: dpkg-dev Version: 1.22.21 Severity: important X-Debbugs-Cc: [email protected]
dpkg-source's manpage states that when verifying the OpenPGP signature on a
source package that is being unpacked, the "user's trustedkeys.gpg keyring"
will be used in addition to vendor-specific and official Debian keyrings.
Under Bookworm, this means that a source package signed by an
ultimately-trusted key in ~/.gnupg/trustedkeys.gpg will be accepted by
dpkg-source. To demonstrate, on a Bookworm machine:
1. Run `gpg --full-generate-key`, and accept all default options when
generating the key.
2. Run `gpg --list-keys` and verify the new key is marked as "ultimate".
3. Run `gpg --export KEYID > ~/tmp.key` to export the new key, replacing KEYID
with the ID of the newly generated key.
4. Run `gpg --no-default-keyring --keyring=~/.gnupg/trustedkeys.gpg --import
~/tmp.key` to import the key into the trustedkeys.gpg keyring.
5. Run `gpg --keyring ~/.gnupg/trustedkeys.gpg --no-default-keyring
--list-keys` to verify the key is added and marked as having "ultimate"
trust level.
6. Create a simple test package under ~/test/myapp, with the following
contents (minus extraneous leading spaces, and replacing the name and email
address throughout as appropriate):
~/test/myapp/debian/changelog:
myapp (1.0) unstable; urgency=medium
* Initial release. (Closes: #9374289)
-- Aaron Rainbolt <[email protected]> Wed, 30 Jul 2025 19:52:52 -0500
~/test/myapp/debian/control:
Source: myapp
Section: misc
Priority: optional
Maintainer: Aaron Rainbolt <[email protected]>
Build-Depends: debhelper-compat (= 13)
Standards-Version: 4.7.2
Rules-Requires-Root: no
Package: myapp
Architecture: all
Depends: ${misc:Depends}
Description: My App
Prints the word "Hi!" when executed. Does not support localization.
~/test/myapp/debian/copyright:
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: *
Copyright: 2025 Aaron Rainbolt <[email protected]>
License: CC0
I'm not about to paste the full text of the CC0 license here, paste it in
yourself if you must.
~/test/myapp/debian/myapp.install:
hi.sh usr/bin/
~/test/myapp/debian/rules (note, replace the spaces before `dh` with
a tab):
#!/usr/bin/make -f
%:
dh $@
~/test/myapp/debian/source/format:
3.0 (native)
~/test/myapp/hi.sh:
#!/bin/bash
echo 'Hi!'
7. Build this into a source package with
`cd ~/test/myapp; debuild -S -d -sa -us -uc`.
8. Sign it with the newly created key using
`debsign -kKEYID ../myapp_1.0_source.changes`.
9. Create a new directory at ~/test/extract.
10. Run `cd ~/test/extract;
dpkg-source -x --require-valid-signature ../myapp_1.0.dsc`.
On Bookworm, this will work as expected and extract the source package.
However, if the above steps are executed on a Trixie machine instead, it will
bail out with error message "dpkg-source: error: cannot verify inline
signature for ../myapp_1.0.dsc: no acceptable signature found`. I tried using
both the Trixie default of ECC keys and the prior Bookworm default of RSA keys
on Trixie, and both of them fail in identical ways.
If dpkg-source intentionally no longer supports trusting user-provided keys
when extracting source packages, this should be documented. It would be much
preferable to fix dpkg-source so that user-provided keys work again though.
pgpnPpdKURL7X.pgp
Description: OpenPGP digital signature
