[Pkg-rust-maintainers] Bug#969588: sqv: Cannot use ASCII armored key as keyring?

[Guillem Jover]

Hi!

On Thu, 2020-10-15 at 11:40:59 -0400, Daniel Kahn Gillmor wrote:
> On Sat 2020-09-05 17:09:06 +0200, Guillem Jover wrote:
> > I was trying out sqv, to potentially add native support for it into
> > dpkg-dev, but either it does not work as expected or I'm confused by
> > the docs. :)
> >
> >   $ apt source libbsd
> >   $ sqv -v --keyring libbsd-0.10.0/debian/upstream/signing-key.asc \
> >         libbsd_0.10.0.orig.tar.xz.asc libbsd_0.10.0.orig.tar.xz  
> >   Missing key 4F3E74F436050C10F5696574B972BF3EA4AE57A3, which is needed to verify signature.
> >   0 of 1 signatures are valid (threshold is: 1).
> >   $ sqv -v --keyring /usr/share/keyrings/debian-keyring.gpg \
> >         libbsd_0.10.0.orig.tar.xz.asc libbsd_0.10.0.orig.tar.xz
> >   4F3E74F436050C10F5696574B972BF3EA4AE57A3
> >   1 of 1 signatures are valid (threshold is: 1).
> 
> I forwarded this to upstream at
> https://gitlab.com/sequoia-pgp/sequoia/-/issues/585, and Justus there
> suggests that the problem is that the OpenPGP certificate in
> libbsd-0.10.0/debian/upstream/signing-key.asc is not up-to-date.  With a
> refreshed version of the certificate, it appears to work.

I was also embarrassed for a moment, :) then realized this should have
failed with GnuPG, and rechecking the signing-key.asc recalled it
contains the two certificates concatenated one after the other, which
GnuPG seems to be able to import correctly.

> So i don't think this is a bug in sqv, and i'm closing the ticket.  Feel
> free to reopen if you think that there is still a problem!

I guess that depends on whether sqv is supposed to support
concatenated certificates, or whether they need to be in a single
ASCII armored block?

I'm not sure how prevalent this is in the archive, but I expect other
instances to exist there. ISTR concatenation being documented
somewhere as a way to add new certificates.

Thanks,
Guillem