Re: uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.

To: Debian Mentors List <debian-mentors@lists.debian.org>
Cc: Paul Wise <pabs@debian.org>
Subject: Re: uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.
From: Mathieu Malaterre <malat@debian.org>
Date: Wed, 2 Oct 2019 19:20:47 +0200
Message-id: <[🔎] CA+7wUsyXW-K=hG52XcS5DvQZXBJ_-3UZr26ddqTaPLwazNyb6A@mail.gmail.com>
In-reply-to: <[🔎] CA+7wUsw9-5jqRsTAz4Bf5nVc4Y=CfehB63N9bBqxydhoWONwXw@mail.gmail.com>
References: <[🔎] CA+7wUsw9-5jqRsTAz4Bf5nVc4Y=CfehB63N9bBqxydhoWONwXw@mail.gmail.com>

[cc me]

On Tue, Oct 1, 2019 at 9:00 AM Mathieu Malaterre <malat@debian.org> wrote:
>
> Hi there,
>
> Here is what I see when I try to update libkcapi upstream package
> (Debian/buster):
>
> $ uscan --verbose --force-download --rename
> [...]
> uscan info: Downloading OpenPGP signature from
>    http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz.asc (pgpsigurlmangled)
>    as libkcapi-1.1.5.tar.xz.asc
> uscan info: Requesting URL:
>    http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz.asc
> uscan info: Verifying OpenPGP signature ../libkcapi-1.1.5.tar.xz.asc
> for ../libkcapi-1.1.5.tar.xz
> uscan info: Execute: gpgv --homedir /dev/null --keyring
> /tmp/VZrTWy04zw/trustedkeys.gpg ../libkcapi-1.1.5.tar.xz.asc
> ../libkcapi-1.1.5.tar.xz...
> gpgv: Signature made Wed 31 Jul 2019 10:01:53 AM CEST
> gpgv:                using RSA key 3BCC43D4D2C87D1784B69EE4421EE936326AC15B
> gpgv: Can't check signature: No public key
> uscan die: OpenPGP signature did not verify. at
> /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.
>
> Indeed there something that has changed with gpg:
>
> $ wget http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz.asc
> $ wget http://www.chronox.de/libkcapi/libkcapi-1.1.5.tar.xz
> $ gpg --verify libkcapi-1.1.5.tar.xz.asc
> gpg: assuming signed data in 'libkcapi-1.1.5.tar.xz'
> gpg: Signature made Wed 31 Jul 2019 10:01:53 AM CEST
> gpg:                using RSA key 3BCC43D4D2C87D1784B69EE4421EE936326AC15B
> gpg: Can't check signature: No public key

Very very odd. Seems to be a server side issue.

$ gpg -vv --receive-keys  3BCC43D4D2C87D1784B69EE4421EE936326AC15B
gpg: data source: https://keys.openpgp.org:443
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
# off=0 ctb=c6 tag=6 hlen=3 plen=269 new-ctb
:public key packet:
version 4, algo 1, created 1521023736, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 421EE936326AC15B
# off=272 ctb=ce tag=14 hlen=3 plen=269 new-ctb
:public sub key packet:
version 4, algo 1, created 1521023736, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: 1DFA16573D623177
# off=544 ctb=c2 tag=2 hlen=3 plen=310 new-ctb
:signature packet: algo 1, keyid 421EE936326AC15B
version 4, created 1521023736, md5len 0, sigclass 0x18
digest algo 8, begin of digest 13 c2
hashed subpkt 33 len 21 (issuer fpr v4 3BCC43D4D2C87D1784B69EE4421EE936326AC15B)
hashed subpkt 2 len 4 (sig created 2018-03-14)
hashed subpkt 27 len 1 (key flags: 20)
subpkt 16 len 8 (issuer key ID 421EE936326AC15B)
data: [2048 bits]
# off=857 ctb=ce tag=14 hlen=3 plen=269 new-ctb
:public sub key packet:
version 4, algo 1, created 1521023736, expires 0
pkey[0]: [2048 bits]
pkey[1]: [17 bits]
keyid: D1786B6EA5543FED
# off=1129 ctb=c2 tag=2 hlen=3 plen=310 new-ctb
:signature packet: algo 1, keyid 421EE936326AC15B
version 4, created 1521023736, md5len 0, sigclass 0x18
digest algo 8, begin of digest 96 38
hashed subpkt 33 len 21 (issuer fpr v4 3BCC43D4D2C87D1784B69EE4421EE936326AC15B)
hashed subpkt 2 len 4 (sig created 2018-03-14)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 421EE936326AC15B)
data: [2042 bits]
gpg: pub  rsa2048/421EE936326AC15B 2018-03-14
gpg: key 421EE936326AC15B: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1


But !

$ gpg --keyserver hkps.pool.sks-keyservers.net  --receive-keys
3BCC43D4D2C87D1784B69EE4421EE936326AC15B
gpg: key 421EE936326AC15B: public key "Stephan Mueller <sm@eperm.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Everything is back in shape:

$ gpg libkcapi-1.1.5.tar.xz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'libkcapi-1.1.5.tar.xz'
gpg: Signature made Wed 31 Jul 2019 10:01:53 AM CEST
gpg:                using RSA key 3BCC43D4D2C87D1784B69EE4421EE936326AC15B
gpg: Good signature from "Stephan Mueller <sm@eperm.de>" [unknown]
gpg:                 aka "Stephan Mueller <sm@chronox.de>" [unknown]
gpg:                 aka "Stephan Mueller <smueller@chronox.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3BCC 43D4 D2C8 7D17 84B6  9EE4 421E E936 326A C15B


Donno what is wrong with https://keys.openpgp.org:443

> $ gpg --show-key libkcapi-1.1.5.tar.xz.asc
> gpg: no valid OpenPGP data found.
>
> Where:
>
> $ file libkcapi-1.1.5.tar.xz.asc
> libkcapi-1.1.5.tar.xz.asc: PGP signature Signature (old)
>
> I have not been able to find much help from the uscan documentation:
>
> https://wiki.debian.org/debian/watch#pgpsigurlmangle
>
> What did I miss ?
>
> Thanks for pointers,
>
> -M

Reply to:

Follow-Ups:
- Re: uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.
  - From: Paul Wise <pabs@debian.org>

References:
- uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.
  - From: Mathieu Malaterre <malat@debian.org>

Prev by Date: Bug#941606: RFS: dwarves/1.15-2
Next by Date: Bug#941606: marked as done (RFS: dwarves/1.15-2)
Previous by thread: Re: uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.
Next by thread: Re: uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 58.
Index(es):
- Date
- Thread