Bug#1067725: lintian: lintian should consider warning when one of many signing keys is missing

To: 1067725@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>
Subject: Bug#1067725: lintian: lintian should consider warning when one of many signing keys is missing
From: Xiyue Deng <manphiz@gmail.com>
Date: Mon, 25 Mar 2024 19:58:51 -0700
Message-id: <[🔎] 87zful4s2c.fsf@debian-hx90.lan>
Reply-to: Xiyue Deng <manphiz@gmail.com>, 1067725@bugs.debian.org
In-reply-to: <[🔎] 874jct66ys.fsf@debian-hx90.lan> (Xiyue Deng's message of "Mon, 25 Mar 2024 19:51:39 -0700")
References: <[🔎] 874jct66ys.fsf@debian-hx90.lan> <[🔎] 874jct66ys.fsf@debian-hx90.lan>

Xiyue Deng <manphiz@gmail.com> writes:

> Package: lintian
> Version: 2.116.3
> Severity: wishlist
> X-Debbugs-Cc: none, Xiyue Deng <manphiz@gmail.com>
>
> We encountered a case that persist[1] from elpa has more than signing
> keys and one of the public keys is missing.  As the output of `gbp
> import-orig --uscan' shows[2], the EDDSA public key could not be found.
> Instead, the RSA was available in the repo[3] and passed the signature
> check.  So instead I used the `uscan --skip-signature' to get the
> upstream tarball and prepared the packaging.  Paul Wise asked me to
> check whether lintian would still warning about the missing key in the
> built package, and it didn't.
>
> This might be considered a rather rare case with multiple signing keys,
> and Paul suggested to file a bug against lintian nonetheless to keep a
> record on this case.
>
> [1] https://elpa.gnu.org/packages/persist.html
>
> [2] Command output:
> ,----
> | $ gbp import-orig --uscan
> | gbp:info: Launching uscan...
> | Newest version of persist-el on remote site is 0.6, local version is 0.5
> |        (mangled local version is 0.5)
> |  => Newer package available from:
> |         => https://elpa.gnu.org/packages/persist-0.6.tar
> | gpgv: Signature made Sat 13 Jan 2024 02:05:03 AM PST
> | gpgv:                using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
> | gpgv: Good signature from "GNU ELPA Signing Agent (2019) <elpasign@elpa.gnu.org>"
> | gpgv: Signature made Sat 13 Jan 2024 02:05:03 AM PST
> | gpgv:                using EDDSA key 0327BE68D64D9A1A66859F15645357D2883A0966
> | gpgv: Can't check signature: No public key
> | uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 77.
> | gbp:error: Uscan failed: OpenPGP signature did not verify.
> `----
>
> [3] https://salsa.debian.org/emacsen-team/persist-el/-/blob/master/debian/upstream/signing-key.asc?ref_type=heads
>
> [..snip..]

CCing Paul which I forgot to do so in the first email.  Also Paul suggested
a new lintian tag for this use case:
"upstream-signature-uses-key-missing-from-upstream-signing-keys".

-- 
Xiyue Deng

Reply to:

References:
- Bug#1067725: lintian: lintian should consider warning when one of many signing keys is missing
  - From: Xiyue Deng <manphiz@gmail.com>

Prev by Date: Bug#1067725: lintian: lintian should consider warning when one of many signing keys is missing
Previous by thread: Bug#1067725: lintian: lintian should consider warning when one of many signing keys is missing
Index(es):
- Date
- Thread