XPost: linux.debian.maint.dpkg

Package: dupload
Version: 2.13.2
Severity: important

dupload now fails for me with the error:

$ LANG=C dupload *_source.changes --no
dupload note: no announcement will be sent.
Checking OpenPGP signatures on ccid_1.6.2-1_source.changes...
Using keyring: /usr/share/keyrings/debian-keyring.gpg
Using keyring: /usr/share/keyrings/debian-nonupload.gpg
Using keyring: /usr/share/keyrings/debian-maintainers.gpg
gpgv: Signature made Wed Mar 19 17:58:20 2025 CET
gpgv: using RSA key F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E gpgv: issuer "rousseau@debian.org"
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: No public key
openpgp-check: error: cannot verify OpenPGP signature for ccid_1.6.2-1_source.changes: no acceptable signature found

dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed for ccid_1.6.2-1_source.changes


I use the default configuration file /etc/dupload.conf and I have no ~/.dupload.conf file.


My key F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E is present in the debian keyring file:
$ LANG=C gpg --show-keys /usr/share/keyrings/debian-keyring.gpg | grep -B1 rousseau
gpg: 100 keys processed so far
gpg: 200 keys processed so far
gpg: 300 keys processed so far
gpg: 400 keys processed so far
F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E
uid Ludovic Rousseau <ludovic.rousseau@free.fr> uid Ludovic Rousseau <rousseau@debian.org>
gpg: 500 keys processed so far
gpg: 600 keys processed so far
gpg: 700 keys processed so far
gpg: 800 keys processed so far
gpg: 900 keys processed so far


I signed the package using:
$ debsign *_source.changes

This bug looks similar to #1099178 but in my case I see that the Debian
keyring is (should be) used.

I don't know what I am doing wrong.


As expected, downgrading to dupload 2.9.12 solves the problem.

Thanks

-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dupload depends on:
ii libdpkg-perl 1.22.18
ii perl 5.40.1-2

Versions of packages dupload recommends:
ii debian-keyring 2024.09.22
ii libio-socket-ssl-perl 2.089-1
ii liburi-perl 5.30-1
ii libyaml-libyaml-perl 0.903.0+ds-1
ii openssh-client 1:9.9p2-1

Versions of packages dupload suggests:
ii exim4-daemon-light [mail-transport-agent] 4.98.1-1
pn libsecret-tools <none>
ii lintian 2.121.1+nmu1

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg

Hi!

On Wed, 2025-03-19 at 18:43:01 +0100, Ludovic Rousseau wrote:

Package: dupload
Version: 2.13.2
Severity: important

dupload now fails for me with the error:

$ LANG=C dupload *_source.changes --no
dupload note: no announcement will be sent.
Checking OpenPGP signatures on ccid_1.6.2-1_source.changes...
Using keyring: /usr/share/keyrings/debian-keyring.gpg
Using keyring: /usr/share/keyrings/debian-nonupload.gpg
Using keyring: /usr/share/keyrings/debian-maintainers.gpg
gpgv: Signature made Wed Mar 19 17:58:20 2025 CET
gpgv: using RSA key F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E gpgv: issuer "rousseau@debian.org"
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: No public key
openpgp-check: error: cannot verify OpenPGP signature for ccid_1.6.2-1_source.changes: no acceptable signature found

dupload: error: Pre-upload '/usr/share/dupload/openpgp-check %1' failed for ccid_1.6.2-1_source.changes

My key F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E is present in the debian keyring file:
$ LANG=C gpg --show-keys /usr/share/keyrings/debian-keyring.gpg | grep -B1 rousseau
gpg: 100 keys processed so far
gpg: 200 keys processed so far
gpg: 300 keys processed so far
gpg: 400 keys processed so far
F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E
uid Ludovic Rousseau <ludovic.rousseau@free.fr> uid Ludovic Rousseau <rousseau@debian.org>
gpg: 500 keys processed so far
gpg: 600 keys processed so far
gpg: 700 keys processed so far
gpg: 800 keys processed so far
gpg: 900 keys processed so far

I signed the package using:
$ debsign *_source.changes

This bug looks similar to #1099178 but in my case I see that the Debian keyring is (should be) used.

I don't know what I am doing wrong.

The problem is that the old openpgp-check hook implementation was
ignoring some verification failures, and silencing stdout/stderr from
the OpenPGP command being used. I assume that with an older dupload you
should have seen the following message instead:

" OpenPGP signature in $FILE cannot be checked, maybe due to missing keys"

(or something similar).

The problem is that your key does not appear valid to GnuPG or other
OpenPGP implementations. Running the Sequoia certificate linter (from
the «sq» package) gives this:

,---
$ sq cert lint --cert F5E11B9FFE911146F41D953D78A1B4DFE8F9C57E
Certificate 78A1B4DFE8F9C57E is not valid under the standard policy: No binding signature at time 2025-03-19T23:36:51Z
Certificate 78A1B4DFE8F9C57E contains a User ID (Ludovic Rousseau <ludovic.rousseau@free.fr>) protected by SHA-1
Certificate 78A1B4DFE8F9C57E contains a User ID (Ludovic Rousseau <rousseau@debian.org>) protected by SHA-1
Certificate 78A1B4DFE8F9C57E, key 36A241532F1BEFF0 uses a SHA-1-protected binding signature.
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)

Error: 1 certificate have at least one issue
`---

You should be able to fix your key by following the instructions in <https://book.sequoia-pgp.org/lint.html>. The same could be done with
GnuPG, but it's way way more tedious (see <https://lore.kernel.org/keys/fxotnlhsyl2frp54xtguy7ryrucuwselanazixeax3motyyoo3@7vf7ip6gxyvx/T/#u>
in case you prefer that).

I guess after that, you'll need to update your key in the Debian
keyring, by sending it to keyring.debian.org. And temporarily you
might need to export your certificate into a local .pgp keyring and
tell dupload to use that as a keyring for the desired target host.

Take into account, that this problem is also affecting verification of
any source package you have been signing. So for example, doing:

$ apt source --download-only ccid
$ dpkg-source --require-valid-signature -x ccid_*.dsc

Will fail, or similarly with:

$ dscverify ccid_*.dsc

Although this looks like a problem with the key and not with dupload,
I'll leave this open, and then add a hint to its output to try to help
others in a similar situation as yours.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)