[pkg-gnupg-maint] Bug#1060664: gpg: Option --keyserver-options=auto-key-retrieve does not work

Vincent Lefevre vincent at vinc17.net
Fri Jan 12 10:40:55 GMT 2024 

Package: gpg
Version: 2.2.40-1.1+b1
Severity: normal
Affects: libmodule-signature-perl

The --keyserver-options=auto-key-retrieve option does not work. It is
described as an obsolete alias for the option auto-key-retrieve, but
it is still documented, so that it is still expected to be supported.
Note that it is still used by libmodule-signature-perl.

The test I did:

zira:~> MODULE_SIGNATURE_VERBOSE=1 MODULE_SIGNATURE_KEYSERVER=pgpkeys.eu cpan -i XML::RPC
Reading '/home/vinc17/.cpan/Metadata'
  Database was generated on Thu, 11 Jan 2024 22:41:02 GMT
Running install for module 'XML::RPC'
CPAN: Digest::SHA loaded ok (v6.04)
CPAN: Module::Signature loaded ok (v0.88)
Executing gpg/--verify/--batch/--no-tty/--keyserver=hkp://pgpkeys.eu:11371/--keyserver-options=auto-key-retrieve//tmp/E4jnBjTWP8
gpg: Signature made 2023-12-17T16:29:09 CET
gpg:                using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key

Signature invalid for file /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS. Please investigate.
[...]

zira:~[2]> gpg --keyserver pgpkeys.eu --recv-keys 77576125A905F1BA
gpg: key 328DA867450F89EC: 13 duplicate signatures removed
gpg: key 328DA867450F89EC: "PAUSE Batch Signing Key 2024 <pause at pause.perl.org>" 1 new user ID
gpg: key 328DA867450F89EC: "PAUSE Batch Signing Key 2024 <pause at pause.perl.org>" 14 new signatures
gpg: key 328DA867450F89EC: "PAUSE Batch Signing Key 2024 <pause at pause.perl.org>" 2 new subkeys
gpg: Total number processed: 1
gpg:           new user IDs: 1
gpg:            new subkeys: 2
gpg:         new signatures: 14

zira:~> MODULE_SIGNATURE_VERBOSE=1 MODULE_SIGNATURE_KEYSERVER=pgpkeys.eu cpan -i XML::RPC
Reading '/home/vinc17/.cpan/Metadata'
  Database was generated on Thu, 11 Jan 2024 22:41:02 GMT
Running install for module 'XML::RPC'
CPAN: Digest::SHA loaded ok (v6.04)
CPAN: Module::Signature loaded ok (v0.88)
Executing gpg/--verify/--batch/--no-tty/--keyserver=hkp://pgpkeys.eu:11371/--keyserver-options=auto-key-retrieve//tmp/TMJRFmY_zR
gpg: Signature made 2023-12-17T16:29:09 CET
gpg:                using RSA key 77576125A905F1BA
gpg: Good signature from "PAUSE Batch Signing Key 2024 <pause at pause.perl.org>" [unknown]
[...]

In summary, the public key was missing and wasn't retrieved
automatically, even though --keyserver-options=auto-key-retrieve was
used. Then I retrieved the key explicitly with --recv-keys and using
the same keyserver, which succeeded, and the signature could be
verified.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-5-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg depends on:
ii  gpgconf        2.2.40-1.1+b1
ii  libassuan0     2.5.6-1
ii  libbz2-1.0     1.0.8-5+b2
ii  libc6          2.37-13
ii  libgcrypt20    1.10.3-2
ii  libgpg-error0  1.47-3
ii  libreadline8   8.2-3
ii  libsqlite3-0   3.44.2-1
ii  zlib1g         1:1.3.dfsg-3

Versions of packages gpg recommends:
ii  gnupg  2.2.40-1.1

gpg suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the pkg-gnupg-maint mailing list