XPost: linux.debian.maint.dpkg

UGFja2FnZTogZHBrZy1kZXYKVmVyc2lvbjogMS4yMi4xOQpTZXZlcml0eTogbm9ybWFsClgtRGVi YnVncy1DYzogbWFydGluLWVyaWMucmFjaW5lQGlraS5maQoKTm93IHRoYXQgQVBUIHB1bGxzICdz cXYnIGluLCBkcGtnLXNvdXJjZSBzZWVtaW5nbHkgbm8gbG9uZ2VyIGtub3dzIGhvdyB0byBjaGVj ayBzaWduYXR1cmVzOgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0KJCBkcGtnLXNvdXJjZSAteCB+L1Byb2plY3RzL1NhbHNhL3VwZ3JhZGUtc3lzdGVt XzEuOS44LmRzYyAKZXJyb3I6IHRoZSBmb2xsb3dpbmcgcmVxdWlyZWQgYXJndW1lbnRzIHdlcmUg bm90IHByb3ZpZGVkOgogIC0ta2V5cmluZyA8RklMRT4KClVzYWdlOiBzcXYgLS1rZXlyaW5nIDxG SUxFPiAtLWNsZWFydGV4dCAtLW91dHB1dCA8RklMRT4gPEZJTEU+CgpGb3IgbW9yZSBpbmZvcm1h dGlvbiwgdHJ5ICctLWhlbHAnLgpkcGtnLXNvdXJjZTogd2FybmluZzogY2Fubm90IHZlcmlmeSBp bmxpbmUgc2lnbmF0dXJlIGZvciAvaG9tZS9wZXJrZWxpeC9Qcm9qZWN0cy9TYWxzYS91cGdyYWRl LXN5c3RlbV8xLjkuOC5kc2M6IG5vIGFjY2VwdGFibGUgc2lnbmF0dXJlIGZvdW5kCmRwa2ctc291 cmNlOiBpbmZvOiBleHRyYWN0aW5nIHVwZ3JhZGUtc3lzdGVtIGluIHVwZ3JhZGUtc3lzdGVtLTEu OS44CmRwa2ctc291cmNlOiBpbmZvOiB1bnBhY2tpbmcgdXBncmFkZS1zeXN0ZW1fMS45LjgudGFy Lnh6Ci0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgpJ IGNhbm5vdCBoZWxwIGJ1dCB3b25kZXIgd2h5ICdzcXYnIGluc2lzdHMgb24gZ2V0dGluZyB0b2xk IHdoaWNoIGtleXJpbmcgdG8gdXNlLiBncGd2IHdhcyBwZXJmZWN0bHkgY2FwYWJsZSBvZiB1c2lu ZyBhbGwgYXZhaWxhYmxlIGtleXJpbmdzLgoKQW55aG93LCB1bnRpbCB0aGlzIGhhcyBiZWVuIGZp eGVkLCB0aGUgcHJpbWFyeSBzaWduYXR1cmUgdmVyaWZpY2F0aW9uIG1ldGhvZCBmYWlscyBvbiBU cml4aWUuCgpNYXJ0aW4tw4lyaWMKCi0tIFN5c3RlbSBJbmZvcm1hdGlvbjoKRGViaWFuIFJlbGVh c2U6IDEzLjAKICBBUFQgcHJlZmVycyB1bnN0YWJsZS1kZWJ1ZwogIEFQVCBwb2xpY3k6ICg1MDAs ICd1bnN0YWJsZS1kZWJ1ZycpLCAoNTAwLCAndW5zdGFibGUnKQpBcmNoaXRlY3R1cmU6IGkzODYg KHg4Nl82NCkKCktlcm5lbDogTGludXggNi4xMi4yMiticG8tYW1kNjQgKFNNUCB3LzggQ1BVIHRo cmVhZHM7IFBSRUVNUFQpCkxvY2FsZTogTEFORz1maV9GSS5VVEYtOCwgTENfQ1RZUEU9ZmlfRkku VVRGLTggKGNoYXJtYXA9VVRGLTgpLCBMQU5HVUFHRT1maTplbgpTaGVsbDogL2Jpbi9zaCBsaW5r ZWQgdG8gL3Vzci9iaW4vZGFzaApJbml0OiBzeXN0ZW1kICh2aWEgL3J1bi9zeXN0ZW1kL3N5c3Rl bSkKTFNNOiBBcHBBcm1vcjogZW5hYmxlZAoKVmVyc2lvbnMgb2YgcGFja2FnZXMgZHBrZy1kZXYg ZGVwZW5kcyBvbjoKaWkgIGJpbnV0aWxzICAgICAgMi40NC0zCmlpICBiemlwMiAgICAgICAgIDEu MC44LTYKaWkgIGxpYmRwa2ctcGVybCAgMS4yMi4xOQppaSAgbWFrZSAgICAgICAgICA0LjQuMS0y CmlpICBwYXRjaCAgICAgICAgIDIuOC0xCmlpICBwZXJsICAgICAgICAgIDUuNDAuMS0zCmlpICB0 YXIgICAgICAgICAgIDEuMzUrZGZzZy0zLjEKaWkgIHh6LXV0aWxzICAgICAgNS44LjEtMQoKVmVy c2lvbnMgb2YgcGFja2FnZXMgZHBrZy1kZXYgcmVjb21tZW5kczoKaWkgIGJ1aWxkLWVzc2VudGlh bCAgICAgICAgICAxMi4xMgppaSAgZmFrZXJvb3QgICAgICAgICAgICAgICAgIDEuMzcuMS4yLTEK aWkgIGdjYyBbYy1jb21waWxlcl0gICAgICAgICA0OjE0LjIuMC0xCmlpICBnY2MtMTQgW2MtY29t cGlsZXJdICAgICAgMTQuMi4wLTE5CmlpICBnbnVwZyAgICAgICAgICAgICAgICAgICAgMi40Ljct MTkKaWkgIGdwZ3YgICAgICAgICAgICAgICAgICAgICAyLjQuNy0xOQppaSAgbGliYWxnb3JpdGht LW1lcmdlLXBlcmwgIDAuMDgtNQppaSAgc3EgICAgICAgICAgICAgICAgICAgICAgIDEuMy4xLTIr YjEKaWkgIHNxdiAgICAgICAgICAgICAgICAgICAgICAxLjMuMC0yCgpWZXJzaW9ucyBvZiBwYWNr YWdlcyBkcGtnLWRldiBzdWdnZXN0czoKcG4gIGRlYmlhbi1rZXlyaW5nICAgICAgICAgICAgIDxu b25lPgpwbiAgZGViaWFuLXRhZzJ1cGxvYWQta2V5cmluZyAgPG5vbmU+CgotLSBubyBkZWJjb25m IGluZm9ybWF0aW9uCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg

Hi!

On Tue, 2025-05-20 at 13:33:58 +0300, Martin-Éric Racine wrote:

Package: dpkg-dev
Version: 1.22.19
Severity: normal
X-Debbugs-Cc: martin-eric.racine@iki.fi

Now that APT pulls 'sqv' in, dpkg-source seemingly no longer knows how to check signatures:

--------------------------------------------------
$ dpkg-source -x ~/Projects/Salsa/upgrade-system_1.9.8.dsc
error: the following required arguments were not provided:
--keyring <FILE>

Usage: sqv --keyring <FILE> --cleartext --output <FILE> <FILE>

For more information, try '--help'.
dpkg-source: warning: cannot verify inline signature for /home/perkelix/Projects/Salsa/upgrade-system_1.9.8.dsc: no acceptable signature found
dpkg-source: info: extracting upgrade-system in upgrade-system-1.9.8 dpkg-source: info: unpacking upgrade-system_1.9.8.tar.xz --------------------------------------------------

This is mostly a UI kind of issue, where dpkg-source should not be
calling sqv (or sq), when the needed keyrings are not present on disk, otherwise we get this kind of alarming/distracting error message from
the tool. But even then, the effect would be the same, dpkg-source
would not be able to verify the signature.

I cannot help but wonder why 'sqv' insists on getting told which
keyring to use. gpgv was perfectly capable of using all available
keyrings.

Hmm, I'm not sure I understand this comment. gpgv has always also
being passed the required Debian keyrings to verify stuff, but the
difference is that we need to create a temporary home directory
and for gpgv we always touch the trustedkeys.gpg keyring which is
what the tool falls back to if there is no other keyring specified.
Which it still then will fail verify.

Anyhow, until this has been fixed, the primary signature verification
method fails on Trixie.

The dpkg code will detect all the OpenPGP backends it supports, from
any SOP/SOPV implementation, then sq/sqv and finally gpg/gpgv. But they
all will fail in some way or another due to…

Versions of packages dpkg-dev suggests:
pn debian-keyring <none>
pn debian-tag2upload-keyring <none>

… this.

I'll prepare a change to improve the error handling/reporting though.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg

Hi!

On Tue, 2025-05-20 at 14:52:59 +0300, Martin-Éric Racine wrote:

ti 20.5.2025 klo 14.30 Guillem Jover (guillem@debian.org) kirjoitti:

On Tue, 2025-05-20 at 13:33:58 +0300, Martin-Éric Racine wrote:

Package: dpkg-dev
Version: 1.22.19
Severity: normal
X-Debbugs-Cc: martin-eric.racine@iki.fi

I cannot help but wonder why 'sqv' insists on getting told which
keyring to use. gpgv was perfectly capable of using all available keyrings.

Hmm, I'm not sure I understand this comment. gpgv has always also
being passed the required Debian keyrings to verify stuff, but the difference is that we need to create a temporary home directory
and for gpgv we always touch the trustedkeys.gpg keyring which is
what the tool falls back to if there is no other keyring specified.
Which it still then will fail verify.

gpgv never had difficulties verifying the signature....

Anyhow, until this has been fixed, the primary signature verification method fails on Trixie.

The dpkg code will detect all the OpenPGP backends it supports, from
any SOP/SOPV implementation, then sq/sqv and finally gpg/gpgv. But they
all will fail in some way or another due to…

Versions of packages dpkg-dev suggests:
pn debian-keyring <none>
pn debian-tag2upload-keyring <none>

… this.

... even without these, but sqv does.

As far as I can tell, the key issue is that gpgv knows about the
user's personal keyring (which, in my case, has the key of many DD/DM,
as a result of previous key signing parties) as well as system
keyrings, while sqv seemingly doesn't.

Sorry that I was not more clear. When verifying signatures using any of
the GnuPG implementation commands (gpg or gpgv), we never use the user
home directory (and neither its pubring.{pgp,kbx} keyrings), the only
thing from the GnuPG home directory we try to use is the ~/.gnupg/trustedkeys.{gpg,kbx} keyring if present, but those do not get automatically populated by gpg (AFAIR). So I'm assuming you might
have added your own certificate there (and perhaps a select few?), and
if so that would mean you would not be able to verify other source
packages that are signed by other people.

And TBH, when I started to add the OpenPGP multi-backend support in
dpkg 1.21.x, I already was considering that using the trustedkeys
keyrings with GnuPG tools was probably not a very good idea, because
it could give different results depending on the backend used. So I
might consider deprecating its usage perhaps.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.maint.dpkg

Hi!

On Tue, 2025-05-20 at 15:36:40 +0300, Martin-Éric Racine wrote:

ti 20.5.2025 klo 15.07 Guillem Jover (guillem@debian.org) kirjoitti:

On Tue, 2025-05-20 at 14:52:59 +0300, Martin-Éric Racine wrote:

As far as I can tell, the key issue is that gpgv knows about the
user's personal keyring (which, in my case, has the key of many DD/DM,
as a result of previous key signing parties) as well as system
keyrings, while sqv seemingly doesn't.

Sorry that I was not more clear. When verifying signatures using any of
the GnuPG implementation commands (gpg or gpgv), we never use the user
home directory (and neither its pubring.{pgp,kbx} keyrings), the only
thing from the GnuPG home directory we try to use is the ~/.gnupg/trustedkeys.{gpg,kbx} keyring if present, but those do not get automatically populated by gpg (AFAIR). So I'm assuming you might
have added your own certificate there (and perhaps a select few?), and
if so that would mean you would not be able to verify other source
packages that are signed by other people.

I never said that they get automatically populated. I said that if the
key used to sign the package is present in ~/.gnupg/*, gpgv apparently
knows how to use it, while sqv seemingly doesn't.

FWIW, I purposely don't install debian-keyring, because the unpacked
file is huge, and gpgv knows how to source the key from ~/.gnupg/* as
needed.

I was trying to clarify what seemed like an apparent misconception,
while trying to infer from missing context. But I think I failed. :)
Let me try again, just in case (even possibly if you know some or most
of it :).

By default gpg(1) uses its home directory to reach for certificates and
keys under ~/.gnupg/pubring.{kbx,gpg} and ~/.gnupg/private-keys-v1.d/* respectively (but never ~/.gnupg/trustedkeys.{kbx,gpg}). By default
gpgv(1) uses only any keyring specified by any explicit --keyring
argument, and only if no such argument has been specified it will try
to use ~/.gnupg/trustedkeys.{kbx,gpg} if it exists.

The GnuPG support in dpkg (AFAIR), has never used (or at least for a
very long time) the GnuPG home directory for signature verification, it
has always created a temporary home directory to avoid it implicitly
reading any of the GnuPG keyrings. As an exception though, that dpkg
support has always passed explicitly the trustedkeys keyring (if
present) to the list of keyrings to either gpg or gpgv (which diverges
from both default tools behavior).

Given GnuPG's move to its own non-standard format for its trustedkeys
keyring (the keybox format), reusing that for other implementations is
no longer an option, and was kept as a GnuPG specific behavior, but
this is becoming an annoying divergence.

I hear what you say about the Debian keyring being too big, and the
desire for the usage of a curated user keyring, so for 1.23.x I'll be
adding generic support to be able to specify an OpenPGP formatted
keyring for such cases to all OpenPGP implementation, and then
deprecate the GnuPG specific trustedkeys keyring support.

Also a note that after apt switched from gpgv to sqv, and before dpkg
grew support for sqv, on minimal installations (with no gpgv or any
other supported OpenPGP implementation present), dpkg-source would not
verify signatures at all (it does not even print a warning if there is
no OpenPGP tool available for it to use). I've got some patches and
some thoughts to make this all more explicit for 1.23.x though.

Hope that clarifies.

I've also updated the current pre-approval/unblock report against the
release team for a proposed new upload fixing this confusing error
handling.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)