Both dpkg-source -x foo.dsc and lintian seems to ignore trustedkeys.gpg keyring

[José Manuel Santamaría Lema <panfaust@gmail.com>]

Hi, before filing bugs and doing it wrong, I need to ask:

A few hours ago, after upgrading my system, I got a new warning from lintian in my packages (I'm not on debian-maintainers.gpg keyring):

$ lintian -i -I subtitlecomposer_0.5.2-1.dsc
I: subtitlecomposer source: tar-errors-from-source gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
N:
N: tar produced an error while unpacking this source package. This probably
N: means there's something broken or at least strange about the way the
N: upstream tar file was constructed. You may want to report this as an
N: upstream bug.
N:
N: Severity: normal, Certainty: wild-guess
N:
I: subtitlecomposer source: tar-errors-from-source gpgv: Can't check signature: public key not found

Of course I have my public key in gpg. So,here's the first thing I did to figure out what's happening:

$ gpgv subtitlecomposer_0.5.2-1.dsc
gpgv: keyblock resource `/home/santa/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Can't check signature: public key not found

Then I created the trustedkeys.gpg with my public key:

$ gpg --no-default-keyring --keyring trustedkeys.gpg --recv-keys 5f99c10f
gpg: keyring `/home/santa/.gnupg/trustedkeys.gpg' created
gpg: requesting key 5F99C10F from hkp server wwwkeys.eu.pgp.net
gpg: key 5F99C10F: public key "Jos� Manuel Santamar�a Lema <panfaust@gmail.com>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1

Then gpgv works:

$ gpgv subtitlecomposer_0.5.2-1.dsc
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Good signature from "Jos� Manuel Santamar�a Lema <panfaust@gmail.com>

Then, lintian again:

$ lintian -i -I subtitlecomposer_0.5.2-1.dsc
I: subtitlecomposer source: tar-errors-from-source gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
N:
N: tar produced an error while unpacking this source package. This probably
N: means there's something broken or at least strange about the way the
N: upstream tar file was constructed. You may want to report this as an
N: upstream bug.
N:
N: Severity: normal, Certainty: wild-guess
N:
I: subtitlecomposer source: tar-errors-from-source gpgv: Can't check signature: public key not found

So, to figure out what was hapenning, I checked what dpkg-source -x does:

$ dpkg-source -x subtitlecomposer_0.5.2-1.dsc
gpgv: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./subtitlecomposer_0.5.2-1.dsc
dpkg-source: info: extracting subtitlecomposer in subtitlecomposer-0.5.2
dpkg-source: info: unpacking subtitlecomposer_0.5.2.orig.tar.gz
dpkg-source: info: applying subtitlecomposer_0.5.2-1.diff.gz

Then, I checked dscverify:

$ dscverify subtitlecomposer_0.5.2-1.dsc
subtitlecomposer_0.5.2-1.dsc:
dscverify: subtitlecomposer_0.5.2-1.dsc failed signature check:
gpg: Signature made Tue May 19 00:51:58 2009 CEST using DSA key ID 5F99C10F
gpg: Can't check signature: public key not found
Validation FAILED!!

After reding the dscverify and devscripts.conf manpages I addes this line to /etc/devscripts.conf:

DSCVERIFY_KEYRINGS="trustedkeys.gpg"

Executing dscverify again, it works:

$ dscverify subtitlecomposer_0.5.2-1.dsc
subtitlecomposer_0.5.2-1.dsc:
Good signature found
validating subtitlecomposer_0.5.2.orig.tar.gz
validating subtitlecomposer_0.5.2-1.diff.gz
All files validated successfully.

But both lintian and dpkg-source doesn't. (Same output as above) Quoting dpkg-source man page:

>--require-valid-signature
>Refuse to unpack the source package if it doesn’t contain an OpenPGP >signature that can be verified either with the user’s trusted‐keys.gpg >keyring, one of the vendor-specific keyrings, or one of the official Debian >keyrings (/usr/share/keyrings/debian-keyring.gpg and >/usr/share/keyrings/debian-maintainers.gpg).

The name for the ring is trustedkeys.gpg instead of trusted-keys.gpg, I guess it's a typo, however, even creating trusted-keys.gpg keyring both dpkg-source -x and lintian does not work properly.

Of course adding --require-valid-signature result in dpkg-source refusing to unpack the source package. But I'm on trustedkeys.gpg.

Finally, I've checked the current bug reports for lintian, dpkg, debian-devel ml and this one. I've checked for the pgp, gpg, sign ... words, but I found nothing.

It's a bug?
Am I missing something?