Bug#1067725: lintian: lintian should consider warning when one of many signing keys is missing
Package: lintian
Version: 2.116.3
Severity: wishlist
X-Debbugs-Cc: none, Xiyue Deng <manphiz@gmail.com>
We encountered a case that persist[1] from elpa has more than signing
keys and one of the public keys is missing. As the output of `gbp
import-orig --uscan' shows[2], the EDDSA public key could not be found.
Instead, the RSA was available in the repo[3] and passed the signature
check. So instead I used the `uscan --skip-signature' to get the
upstream tarball and prepared the packaging. Paul Wise asked me to
check whether lintian would still warning about the missing key in the
built package, and it didn't.
This might be considered a rather rare case with multiple signing keys,
and Paul suggested to file a bug against lintian nonetheless to keep a
record on this case.
[1] https://elpa.gnu.org/packages/persist.html
[2] Command output:
,----
| $ gbp import-orig --uscan
| gbp:info: Launching uscan...
| Newest version of persist-el on remote site is 0.6, local version is 0.5
| (mangled local version is 0.5)
| => Newer package available from:
| => https://elpa.gnu.org/packages/persist-0.6.tar
| gpgv: Signature made Sat 13 Jan 2024 02:05:03 AM PST
| gpgv: using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
| gpgv: Good signature from "GNU ELPA Signing Agent (2019) <elpasign@elpa.gnu.org>"
| gpgv: Signature made Sat 13 Jan 2024 02:05:03 AM PST
| gpgv: using EDDSA key 0327BE68D64D9A1A66859F15645357D2883A0966
| gpgv: Can't check signature: No public key
| uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 77.
| gbp:error: Uscan failed: OpenPGP signature did not verify.
`----
[3] https://salsa.debian.org/emacsen-team/persist-el/-/blob/master/debian/upstream/signing-key.asc?ref_type=heads
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (200, 'proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-18-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lintian depends on:
ii binutils 2.40-2
ii bzip2 1.0.8-5+b1
ii diffstat 1.65-1
ii dpkg 1.21.22
ii dpkg-dev 1.21.22
ii file 1:5.44-3
ii gettext 0.21-12
ii gpg 2.2.40-1.1
ii intltool-debian 0.35.0+20060710.6
ii iso-codes 4.15.0-1
ii libapt-pkg-perl 0.1.40+b2
ii libarchive-zip-perl 1.68-1
ii libberkeleydb-perl 0.64-2+b1
ii libcapture-tiny-perl 0.48-2
ii libclass-xsaccessor-perl 1.19-4+b1
ii libclone-perl 0.46-1
ii libconfig-tiny-perl 2.28-2
ii libconst-fast-perl 0.014-2
ii libcpanel-json-xs-perl 4.35-1
ii libdata-dpath-perl 0.58-2
ii libdata-validate-domain-perl 0.10-1.1
ii libdata-validate-uri-perl 0.07-2
ii libdevel-size-perl 0.83-2+b1
pn libdigest-sha-perl <none>
ii libdpkg-perl 1.21.22
ii libemail-address-xs-perl 1.05-1+b1
ii libencode-perl 3.19-1+b1
ii libfile-basedir-perl 0.09-2
ii libfile-find-rule-perl 0.34-3
ii libfont-ttf-perl 1.06-2
ii libhtml-html5-entities-perl 0.004-3
ii libhtml-tokeparser-simple-perl 3.16-4
ii libio-interactive-perl 1.023-2
ii libipc-run3-perl 0.048-3
ii libjson-maybexs-perl 1.004004-1
ii liblist-compare-perl 0.55-2
ii liblist-someutils-perl 0.59-1
ii liblist-utilsby-perl 0.12-2
ii libmldbm-perl 2.05-4
ii libmoo-perl 2.005005-1
ii libmoox-aliases-perl 0.001006-2
ii libnamespace-clean-perl 0.27-2
ii libpath-tiny-perl 0.144-1
ii libperlio-gzip-perl 0.20-1+b1
ii libperlio-utf8-strict-perl 0.010-1
ii libproc-processtable-perl 0.634-1+b2
ii libregexp-wildcards-perl 1.05-3
ii libsereal-decoder-perl 5.003+ds-1
ii libsereal-encoder-perl 5.003+ds-1
ii libsort-versions-perl 1.62-3
ii libsyntax-keyword-try-perl 0.28-1
ii libterm-readkey-perl 2.38-2+b1
ii libtext-levenshteinxs-perl 0.03-5+b1
ii libtext-markdown-discount-perl 0.16-1
ii libtext-xslate-perl 3.5.9-1+b2
ii libtime-duration-perl 1.21-2
ii libtime-moment-perl 0.44-2+b1
ii libtimedate-perl 2.3300-2
ii libunicode-utf8-perl 0.62-2
ii liburi-perl 5.17-1
ii libwww-mechanize-perl 2.16-1
ii libwww-perl 6.68-1
ii libxml-libxml-perl 2.0207+dfsg+really+2.0134-1+b1
ii libyaml-libyaml-perl 0.86+ds-1
ii lzop 1.04-2
ii man-db 2.11.2-2
ii patchutils 0.4.2-1
ii perl [libencode-perl] 5.36.0-7+deb12u1
ii plzip [lzip-decompressor] 1.10-5
ii t1utils 1.41-4
ii unzip 6.0-28
ii xz-utils 5.4.1-0.2
lintian recommends no packages.
Versions of packages lintian suggests:
pn binutils-multiarch <none>
pn libtext-template-perl <none>
-- no debconf information
Reply to: