This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=5c60223b5c17685b99ae69489acbd5fd63e0474e commit 5c60223b5c17685b99ae69489acbd5fd63e0474e Author: Guillem Jover <[email protected]> AuthorDate: Sat May 24 21:00:24 2025 +0200 Dpkg::Source::Package: Deprecate implicit trusted GnuPG keyrings These keyrings are specific to a single implementation, GnuPG, which in addition use a custom and unportable file format (KeyBox) not understood by other OpenPGP implementations. Which makes using different OpenPGP implementation non-reproducible. Now that we can specify user supplied certrings, we no longer need this, and will be deprecating its use, to eventually completely remove it. --- scripts/Dpkg/Source/Package.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm index 93efa752e..dff2f29b8 100644 --- a/scripts/Dpkg/Source/Package.pm +++ b/scripts/Dpkg/Source/Package.pm @@ -537,10 +537,18 @@ sub check_signature { info(g_('verifying %s'), $dsc); + # User specified signer certificates, otherwise fallback to use the + # trusted keyrings. if (@{$self->{options}{certs}}) { push @certs, @{$self->{options}{certs}}; + } else { + foreach my $keyring ($self->{openpgp}->get_trusted_keyrings()) { + push @certs, $keyring; + warning(g_('using implicit trusted keyring %s is deprecated; ' . + 'use --signer-cert with an OpenPGP keyring instead'), + $keyring); + } } - push @certs, $self->{openpgp}->get_trusted_keyrings(); foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) { if (-r $vendor_keyring) { -- Dpkg.Org's dpkg
