[pkg-gnupg-maint] Bug#1101011: gnupg2: gpgv returns bad signature for a previously validate file

Fri Mar 21 18:34:42 GMT 2025

Package: gnupg2
Version: 2.2.46-2
Severity: grave
X-Debbugs-Cc: debian-wb-team at lists.debian.org
Control: affects -1 buildd.debian.org
Control: affects -1 src:dupload

Hi,

Starting with gnupg2 version 2.2.46-2, gpgv report a bad signature with
the attached changes file with the attached pubring and the following
command:

| $ gpgv --keyring ./pubring.gpg lwt-log_1.1.2-4+b14_riscv64-buildd.changes
| gpgv: Signature made Fri Mar 21 16:49:21 2025 CET
| gpgv:                using RSA key 26F3C34BC64F1ED58095CC58B44F38757CF7C9E7
| gpgv: BAD signature from "buildd autosigning key rv-manda-03 <buildd_riscv64-rv-manda-03 at buildd.debian.org>"

With version 2.2.46-1 it outputs:

| $ gpgv --keyring ./pubring.gpg lwt-log_1.1.2-4+b14_riscv64-buildd.changes
| gpgv: Signature made Fri Mar 21 16:49:21 2025 CET
| gpgv:                using RSA key 26F3C34BC64F1ED58095CC58B44F38757CF7C9E7
| gpgv: Good signature from "buildd autosigning key rv-manda-03 <buildd_riscv64-rv-manda-03 at buildd.debian.org>"

Note that sq is able to successfully validate that file:

| $ sq verify --signer-file=./pubring.gpg --message lwt-log_1.1.2-4+b14_riscv64-buildd.changes
| Authenticated signature made by 26F3C34BC64F1ED58095CC58B44F38757CF7C9E7 (buildd autosigning key rv-manda-03 <buildd_riscv64-rv-manda-03 at buildd.debian.org> (UNAUTHENTICATED))

[snip]

| 1 authenticated signature.

Note that this file has been signed by gnupg2 version 2.2.46-2.
Resigning the file doesn't help. This breaks the signature verification
done by openpgp-check (part of dupload) on the build daemons.

Regards
Aurelien
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 21 Mar 2025 15:44:52 +0000
Source: lwt-log (1.1.2-4)
Binary: liblwt-log-ocaml liblwt-log-ocaml-dbgsym liblwt-log-ocaml-dev
Binary-Only: yes
Architecture: riscv64
Version: 1.1.2-4+b14
Distribution: sid
Urgency: low
Maintainer: riscv64 Build Daemon (rv-manda-03) <buildd_riscv64-rv-manda-03 at buildd.debian.org>
Changed-By: riscv64 Build Daemon (rv-manda-03) <buildd_riscv64-rv-manda-03 at buildd.debian.org>
Description:
 liblwt-log-ocaml - optimised functions to read and write int16/32/64 (runtime)
 liblwt-log-ocaml-dev - Lwt-friendly logging library (development)
Changes:
 lwt-log (1.1.2-4+b14) sid; urgency=low, binary-only=yes
 .
   * Binary-only non-maintainer upload for riscv64; no source changes.
   * Rebuild with new ABIs of dependencies
Checksums-Sha1:
 26c7ef89281028928da3dca8b92eab91bd8c61b2 13036 liblwt-log-ocaml-dbgsym_1.1.2-4+b14_riscv64.deb
 43400189602d538112528329dd7c7680743a9e60 267872 liblwt-log-ocaml-dev_1.1.2-4+b14_riscv64.deb
 f10f643c8970bc3d8fe9ac317de5e67b3f096f24 90792 liblwt-log-ocaml_1.1.2-4+b14_riscv64.deb
 9fe907678ffafd01e2b2a38c1cc45ac41032c7b3 7219 lwt-log_1.1.2-4+b14_riscv64-buildd.buildinfo
Checksums-Sha256:
 d79e3b5e6bf823e6dede086d036cc07f7836122f1278b693618793b5c9076265 13036 liblwt-log-ocaml-dbgsym_1.1.2-4+b14_riscv64.deb
 86085ae9d6b76b1439d7ef0ed5e59882d9a82ed9070bf0562cf9859e22e4ea0d 267872 liblwt-log-ocaml-dev_1.1.2-4+b14_riscv64.deb
 953f3300f8284b35fb992d21143dc19680ed5fdea9d0c8dbdf3fab2f7722fe31 90792 liblwt-log-ocaml_1.1.2-4+b14_riscv64.deb
 5ce0081e1e3bceee63235cc1ba1c11d30f01f0f84dba29f9ad672895e94f8142 7219 lwt-log_1.1.2-4+b14_riscv64-buildd.buildinfo
Files:
 6d610dbcb2312db94bb587449c3ca077 13036 debug optional liblwt-log-ocaml-dbgsym_1.1.2-4+b14_riscv64.deb
 316e80c7a61074be34ee8a88182a910a 267872 ocaml optional liblwt-log-ocaml-dev_1.1.2-4+b14_riscv64.deb
 f3b4dda224621f7c1644493aaa03bb4a 90792 ocaml optional liblwt-log-ocaml_1.1.2-4+b14_riscv64.deb
 bf9d0af85f635b301b319213475ef2e7 7219 ocaml optional lwt-log_1.1.2-4+b14_riscv64-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJvPDS8ZPHtWAlcxYtE84dXz3yecFAmfdioEACgkQtE84dXz3
yecD6BAAljL5+dX5TRPATwA2loo5c4geiNwIbm3gmX7iK4I36L/dFchOqCKqD2Sk
qjmTMNeFRjUN8YIoXuUI9isKZn03lcpdckUhiIwyuV+xjUk4xmQqYdMZKhU7CpLg
tJOEFJ2DnJsJ1r2jdv//eMGG+4r8hHoMpp6f2z/y8fI2KNa5YEAWAYw5tJOIP89a
K02/JwAmPrprb46uAYhzk3iCuXuC4sYJnmNzRLvo/29PnFh2olPar+tlb8F3BBxg
5du7PceNrplzjtyKLAws6ilMy/V28+YcTbP1serNWr/LjBiH2ErQU/3HgXKXAiz6
yVX/sXI40196tZwWguNVzUYyi2RF5xQfo1oqceGmHqAAS5tMEeh8vFWkA/7IR/zQ
8jXyrPlns/hE8t0CnZgoOWSqsC14tmn88KjcCjlgcPomaztNviajMarsWo6i7ktM
m7S0uH2cfG0QzjuQOsEMGC0f0/JTuXscUTrNoIjEoaDQPbdnIGd3JnEAmKo0bb6c
g1jLYFEpUwJ45l02aEstQ8xtG4sXTMFjwEyZF61hkEEFV5Eyxt1FJohIiLSTxxup
1WjsupZilG3KXml4qnkiUXSDKPu0PJPFsZjEipxo7ekAv5QbK+6xO9Ughx56Aboj
VW8JvTwQnnhnXeOFnunnzzoMePZJJ8L/uvr+MyRW96BgUS/s4kA=
=gweN
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pubring.gpg
Type: application/pgp-keys
Size: 1210 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnupg-maint/attachments/20250321/a5251d6b/attachment.asc>