1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1110172: Keys in a user's trustedkeys.gpg keyring are ignored when

    From Aaron Rainbolt@21:1/5 to All on Thu Jul 31 04:10:01 2025
    XPost: linux.debian.maint.dpkg

    Package: dpkg-dev
    Version: 1.22.21
    Severity: important
    X-Debbugs-Cc: [email protected]

    dpkg-source's manpage states that when verifying the OpenPGP signature on a source package that is being unpacked, the "user's trustedkeys.gpg keyring" will be used in addition to vendor-specific and official Debian keyrings.
    Under Bookworm, this means that a source package signed by an ultimately-trusted key in ~/.gnupg/trustedkeys.gpg will be accepted by dpkg-source. To demonstrate, on a Bookworm machine:

    1. Run `gpg --full-generate-key`, and accept all default options when
    generating the key.
    2. Run `gpg --list-keys` and verify the new key is marked as "ultimate".
    3. Run `gpg --export KEYID > ~/tmp.key` to export the new key, replacing KEYID
    with the ID of the newly generated key.
    4. Run `gpg --no-default-keyring --keyring=~/.gnupg/trustedkeys.gpg --import
    ~/tmp.key` to import the key into the trustedkeys.gpg keyring.
    5. Run `gpg --keyring ~/.gnupg/trustedkeys.gpg --no-default-keyring
    --list-keys` to verify the key is added and marked as having "ultimate"
    trust level.
    6. Create a simple test package under ~/test/myapp, with the following
    contents (minus extraneous leading spaces, and replacing the name and email
    address throughout as appropriate):

    ~/test/myapp/debian/changelog:

    myapp (1.0) unstable; urgency=medium

    * Initial release. (Closes: #9374289)

    -- Aaron Rainbolt <[email protected]> Wed, 30 Jul 2025 19:52:52 -0500

    ~/test/myapp/debian/control:

    Source: myapp
    Section: misc
    Priority: optional
    Maintainer: Aaron Rainbolt <[email protected]>
    Build-Depends: debhelper-compat (= 13)
    Standards-Version: 4.7.2
    Rules-Requires-Root: no

    Package: myapp
    Architecture: all
    Depends: ${misc:Depends}
    Description: My App
    Prints the word "Hi!" when executed. Does not support localization.

    ~/test/myapp/debian/copyright:

    Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/

    Files: *
    Copyright: 2025 Aaron Rainbolt <[email protected]>
    License: CC0
    I'm not about to paste the full text of the CC0 license here, paste it in
    yourself if you must.

    ~/test/myapp/debian/myapp.install:

    hi.sh usr/bin/

    ~/test/myapp/debian/rules (note, replace the spaces before `dh` with
    a tab):

    #!/usr/bin/make -f

    %:
    dh $@

    ~/test/myapp/debian/source/format:

    3.0 (native)

    ~/test/myapp/hi.sh:

    #!/bin/bash
    echo 'Hi!'

    7. Build this into a source package with
    `cd ~/test/myapp; debuild -S -d -sa -us -uc`.
    8. Sign it with the newly created key using
    `debsign -kKEYID ../myapp_1.0_source.changes`.
    9. Create a new directory at ~/test/extract.
    10. Run `cd ~/test/extract;
    dpkg-source -x --require-valid-signature ../myapp_1.0.dsc`.

    On Bookworm, this will work as expected and extract the source package. However, if the above steps are executed on a Trixie machine instead, it will bail out with error message "dpkg-source: error: cannot verify inline
    signature for ../myapp_1.0.dsc: no acceptable signature found`. I tried using both the Trixie default of ECC keys and the prior Bookworm default of RSA keys on Trixie, and both of them fail in identical ways.

    If dpkg-source intentionally no longer supports trusting user-provided keys when extracting source packages, this should be documented. It would be much preferable to fix dpkg-source so that user-provided keys work again though.

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEudh48PFXwyPDa0wGpwkWDXPHkQkFAmiKzAgACgkQpwkWDXPH kQmwMQ/+KmdG4j0k9Nw18OJExQK9CI5kCaP8EvprCgkkTiGQCHcXlrpImpnj+dNK 4CabnCGMz0UEvsxbfRO5O90NoM8y3F4hYiCg9iY/w873DO8bO7bgyv+ADT1ORfLq x/nfsphubaLfzk1fXseHOZtloyP1Q10IwIaGJhgBUxlYxKhJswlm4YZZ9XjJRzmB lqp2igSsgHQZ3jSGnQogtPxm2clgadlybf0rUjgOUDIYyRZX6IPL8uv6ToUwLKfD 76BN3a0gwyqDWyEXgma3D0HQSs/UrrsuxXljZYgK5IHPnWYmIM18orvCUaWzcmHq J4p5Xw9TK9tbhwZQExklTNozxm00gZxffyIN8wExIIZUln+VAwxSDULfndQEoVMe jN4Caeysau/65eU8J4J7PVVLhbmSgijrFQSAVUb2aQ22y77Q4sVDFDqf4i8hhftG dP2HzX/SBcj1ThwBacw2tE+sVKxqFAQ1sRjyqpn2a4QIHa8QaNizdwmbbZ/hfER8 +1Buc1XG8zIX44CPlL00KFHW1gZVnFkl6nABpFNToUdxuVC7M9F3ZwJ7oGdcSmTM EWwYhuctg0lupT7L/CEI3qAqQw6+w8yiM4W9oUVjIkt2jLWHWQNEFtu88759OOEl rslD7eLYGwDLa8LWVy+Npj2mRx4CjCu4He9g0mQnxw8WCM462Q8=
    =P5WL
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)