Bug#955393: popularity-contest: gpg: 5B1A07804DD558242CF5538215A07BA5233E3E85: skipped: unusable public key

[Bill Allombert <ballombe@debian.org>]

On Wed, Apr 01, 2020 at 06:37:33AM +0000, Thorsten Glaser wrote:
> severity 955393 wishlist
> thanks
> 
> Bill Allombert dixit:
> 
> >Hello Thorsten,
> >Could you investigate ? The key is in this file:
> >/usr/share/popularity-contest/debian-popcon.gpg
> 
> Sure:
> 
> tglase@tglase-nb:~ $ gpg --import /usr/share/popularity-contest/debian-popcon.gpg
> gpg: key 233E3E85: no valid user IDs
> gpg: this may be caused by a missing self-signature
> gpg: Total number processed: 1
> gpg:           w/o user IDs: 1
> 2|tglase@tglase-nb:~ $ gpg2 --import /usr/share/popularity-contest/debian-popcon.gpg
> gpg: keyserver option 'verbose' is unknown
> gpg: keyserver option 'verbose' is unknown
> gpg: key 15A07BA5233E3E85: public key "Debian popularity contest server (2020 submission key) <survey@popcon.debian.org>" imported
> 
> Turns out that the key is only compatible with gpg2.

Thanks! Maybe because they are ECDSA keys, not RSA.

> Can you please change all calls to gpg in popcon to gpg2?
> I know that gpg2 ships /usr/bin/gpg these days, but I had
> to revert that to gpg1 locally for some reasons, and my
> requests for them to handle that with update-alternatives
> went nowhere, so I just set the symlink manually… but it
> would be welcomed to not assume gpg is gpg2.

Well, /etc/cron.daily/popularity-contest is a conffile, so
you can edit it.

I would suggest you add a symlink
/usr/local/bin/gpg -> /usr/bin/gpg1
instead of changing /usr/bin/gpg.

The problem with your suggestion is that further gpg upgrade might
get rid of gpg2 at some point and this will lead users with incorrect
conffile.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.