[pkg-gnupg-maint] Bug#977909: gnupg: `--trust-model always` doesn't trust keys

[Ansgar]

Package: gnupg
Version: 2.2.20-1
Severity: normal
Tags: upstream

Run:

$ gpg --trust-model always \
      --no-default-keyring \
      --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
      --verify /var/lib/apt/lists/deb.debian.org_debian_dists_unstable_InRelease

The output then contains:

| gpg: WARNING: Using untrusted key!

which seems strange given GnuPG was told to trust all keys.  Setting
the option via gpg.conf has the same result.

The output from --status-fd=2 include both "GOODSIG" and "VALIDSIG".

If I try to use python3-gpg to verify the signature, the signatures
returned in `result.signatures` have summary=0, i.e., no valid
signature was reported (does "GPGME_SIGSUM_VALID" mean the same as
VALIDSIG?).

Ansgar

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing'), (300, 'buildd-unstable'), (300, 'unstable'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-4-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnupg depends on:
ii  dirmngr         2.2.20-1
ii  gnupg-l10n      2.2.20-1
ii  gnupg-utils     2.2.20-1
ii  gpg             2.2.20-1
ii  gpg-agent       2.2.20-1
ii  gpg-wks-client  2.2.20-1
ii  gpg-wks-server  2.2.20-1
ii  gpgsm           2.2.20-1
ii  gpgv            2.2.20-1

gnupg recommends no packages.

Versions of packages gnupg suggests:
pn  parcimonie  <none>
pn  xloadimage  <none>

-- no debconf information