[pkg-gnupg-maint] Bug#1022702: gnupg 2.4 EOL

Andreas Metzler ametzler at bebt.de
Sun Apr 6 10:41:53 BST 2025 

On 2025-04-05 Nicholas D Steeves <sten at debian.org> wrote:
> Hello,

> I found an upstream (Syncthing) who distributes signatures that GnuPG
> 2.2.x appears to not be able to handle.

> Is there a GnuPG 2.2.x-compat signing mode that we should be asking our
> upstreams to use?  Meanwhile, some of our upstreams are moving to
> alternative OpenPGP implementations.  Does this mean the issues of
> diverging standards that Daniel and Andreas raised are going to become a
> problem in 2025?  In other words, has this bug become more important
> than wishlist?

> I installed 2.4.7 from
> experimental, and this version successfully verified the sig; however,
> uscan appears to need to be made compatible with 2.4.7, ie

>     uscan die: OpenPGP signature did not verify. at
>     /usr/share/perl5/Devscripts/Uscan/Output.pm line 77.

> even though GPG returned "Good signature" for both upstream signatures.

> Given that the soft-freeze is only 9 days away, should the release team
> be contacted?

Hello,

there are two issues here I think:

the respective file has two signatures, only one of these is in
syncthing-1.29.2~ds1/debian/upstream/signing-key.asc and gpgv only exits
with success if it can verify *all* signatures
ametzler at argenau:/tmp/SY$ gpgv --homedir /tmp/SY/gpghome --keyring /tmp/SY/convert-upstream.gpg v2.0.0-beta.5.tar.gz.asc v2.0.0-beta.5.tar.gz
gpgv: no valid OpenPGP data found.
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key FBA2E162F2F44657B38F0309E5665F9BD5970C47
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpgv: Can't check signature: No public key

This was reported as nonoptimal behavior in
https://bugs.debian.org/1010955 and afaiui was fixed by using sopv
instead of gpgv if available. And indeed with sqop installed uscan
succeeds (sqopv should also work.)

The other issue seems to be the line "gpgv: no valid OpenPGP data
found.", even with both FBA2E162F2F44657B38F0309E5665F9BD5970C47 and
37C84554E7E0A261E4F76E1ED26E6ED000654A3E and verification keyring gpgv
2.4.7 still exits with an error:

gpgv: no valid OpenPGP data found.
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key FBA2E162F2F44657B38F0309E5665F9BD5970C47
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: binary signature, digest algorithm SHA256, key algorithm rsa4096
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: binary signature, digest algorithm SHA256, key algorithm rsa2048
keyring /tmp/SY/both.gpg exitcode 2

2.2.x throws some additional warnings but still verifies both sigs:
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: invalid radix64 character 2D skipped
gpgv: [don't know]: invalid packet (ctb=10)
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key FBA2E162F2F44657B38F0309E5665F9BD5970C47
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: binary signature, digest algorithm SHA256, key algorithm rsa4096
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: binary signature, digest algorithm SHA256, key algorithm rsa2048
gpgv: no valid OpenPGP data found.
keyring /tmp/SY/both.gpg exit 2


Vanilla 2.5.5 succeeds:
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key FBA2E162F2F44657B38F0309E5665F9BD5970C47
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: binary signature, digest algorithm SHA256, key algorithm rsa4096
gpgv: Signature made Fr 04 Apr 2025 19:29:52 CEST
gpgv:                using RSA key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpgv: Good signature from "Syncthing Release Management <release at syncthing.net>"
gpgv: binary signature, digest algorithm SHA256, key algorithm rsa2048
keyring /tmp/SY/both.gpg exit 0

I am going to doublecheck whether this is a Debian specific issue or if
2.5 is required to get a positive gpgv-exitcode for this signature.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the pkg-gnupg-maint mailing list