[cc me] On Tue, Oct 1, 2019 at 9:00 AM Mathieu Malaterre <[email protected]> wrote: > > Hi there, > > Here is what I see when I try to update libkcapi upstream package > (Debian/buster): > > $ uscan --verbose --force-download --rename > [...] > uscan info: Downloading OpenPGP signature from > http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz.asc (pgpsigurlmangled) > as libkcapi-1.1.5.tar.xz.asc > uscan info: Requesting URL: > http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz.asc > uscan info: Verifying OpenPGP signature ../libkcapi-1.1.5.tar.xz.asc > for ../libkcapi-1.1.5.tar.xz > uscan info: Execute: gpgv --homedir /dev/null --keyring > /tmp/VZrTWy04zw/trustedkeys.gpg ../libkcapi-1.1.5.tar.xz.asc > ../libkcapi-1.1.5.tar.xz... > gpgv: Signature made Wed 31 Jul 2019 10:01:53 AM CEST > gpgv: using RSA key 3BCC43D4D2C87D1784B69EE4421EE936326AC15B > gpgv: Can't check signature: No public key > uscan die: OpenPGP signature did not verify. at > /usr/share/perl5/Devscripts/Uscan/Output.pm line 58. > > Indeed there something that has changed with gpg: > > $ wget http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz.asc > $ wget http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz > $ gpg --verify libkcapi-1.1.5.tar.xz.asc > gpg: assuming signed data in 'libkcapi-1.1.5.tar.xz' > gpg: Signature made Wed 31 Jul 2019 10:01:53 AM CEST > gpg: using RSA key 3BCC43D4D2C87D1784B69EE4421EE936326AC15B > gpg: Can't check signature: No public key
Very very odd. Seems to be a server side issue. $ gpg -vv --receive-keys 3BCC43D4D2C87D1784B69EE4421EE936326AC15B gpg: data source: https://keys.openpgp.org:443 gpg: armor: BEGIN PGP PUBLIC KEY BLOCK # off=0 ctb=c6 tag=6 hlen=3 plen=269 new-ctb :public key packet: version 4, algo 1, created 1521023736, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: 421EE936326AC15B # off=272 ctb=ce tag=14 hlen=3 plen=269 new-ctb :public sub key packet: version 4, algo 1, created 1521023736, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: 1DFA16573D623177 # off=544 ctb=c2 tag=2 hlen=3 plen=310 new-ctb :signature packet: algo 1, keyid 421EE936326AC15B version 4, created 1521023736, md5len 0, sigclass 0x18 digest algo 8, begin of digest 13 c2 hashed subpkt 33 len 21 (issuer fpr v4 3BCC43D4D2C87D1784B69EE4421EE936326AC15B) hashed subpkt 2 len 4 (sig created 2018-03-14) hashed subpkt 27 len 1 (key flags: 20) subpkt 16 len 8 (issuer key ID 421EE936326AC15B) data: [2048 bits] # off=857 ctb=ce tag=14 hlen=3 plen=269 new-ctb :public sub key packet: version 4, algo 1, created 1521023736, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: D1786B6EA5543FED # off=1129 ctb=c2 tag=2 hlen=3 plen=310 new-ctb :signature packet: algo 1, keyid 421EE936326AC15B version 4, created 1521023736, md5len 0, sigclass 0x18 digest algo 8, begin of digest 96 38 hashed subpkt 33 len 21 (issuer fpr v4 3BCC43D4D2C87D1784B69EE4421EE936326AC15B) hashed subpkt 2 len 4 (sig created 2018-03-14) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID 421EE936326AC15B) data: [2042 bits] gpg: pub rsa2048/421EE936326AC15B 2018-03-14 gpg: key 421EE936326AC15B: new key but contains no user ID - skipped gpg: Total number processed: 1 gpg: w/o user IDs: 1 But ! $ gpg --keyserver hkps.pool.sks-keyservers.net --receive-keys 3BCC43D4D2C87D1784B69EE4421EE936326AC15B gpg: key 421EE936326AC15B: public key "Stephan Mueller <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 Everything is back in shape: $ gpg libkcapi-1.1.5.tar.xz.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: assuming signed data in 'libkcapi-1.1.5.tar.xz' gpg: Signature made Wed 31 Jul 2019 10:01:53 AM CEST gpg: using RSA key 3BCC43D4D2C87D1784B69EE4421EE936326AC15B gpg: Good signature from "Stephan Mueller <[email protected]>" [unknown] gpg: aka "Stephan Mueller <[email protected]>" [unknown] gpg: aka "Stephan Mueller <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3BCC 43D4 D2C8 7D17 84B6 9EE4 421E E936 326A C15B Donno what is wrong with https://keys.openpgp.org:443 > $ gpg --show-key libkcapi-1.1.5.tar.xz.asc > gpg: no valid OpenPGP data found. > > Where: > > $ file libkcapi-1.1.5.tar.xz.asc > libkcapi-1.1.5.tar.xz.asc: PGP signature Signature (old) > > I have not been able to find much help from the uscan documentation: > > https://wiki.debian.org/debian/watch#pgpsigurlmangle > > What did I miss ? > > Thanks for pointers, > > -M
