[Pkg-rust-maintainers] Bug#969590: sqop: Cannot use certificates for signature verification?
Daniel Kahn Gillmor
dkg at debian.org
Fri Oct 16 21:25:47 BST 2020
Control: forwarded https://gitlab.com/sequoia-pgp/sequoia/-/issues/590
Hi Guillem--
On Sat 2020-09-05 17:20:26 +0200, Guillem Jover wrote:
> I was trying out sqop, to potentially add native support for it into
> dpkg-dev
This is great to hear! I think that you were running into (at least)
three different things:
- the upstream signing keys (OpenPGP certificates) shipped in libbsd
0.10.0 appear to be expired
- you're shipping two upstream signing keys there, but sqop verify is
buggy when a stream has two certificates in it:
https://gitlab.com/sequoia-pgp/sequoia/-/issues/590
- you've included the two certificates as separate ASCII-armored blobs,
rather than a single ASCII-armored keyring that contains two
certificates. We probably need to clarify whether "sop" can accept a
CERTS stream shaped like that:
https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/28
In the meantime, here's a patch to libbsd 0.10.0 that at least resolves
the out-of-date certificates and the single-keyring-blob issue.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-refresh-keys-for-Guillem-Jover.patch
Type: text/x-diff
Size: 12942 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20201016/87f184e6/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20201016/87f184e6/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list