[Pkg-rust-maintainers] Bug#1031020: sqop: Fails to verify sig on gnutls28_3.7.8.orig.tar.xz

Andreas Metzler ametzler at bebt.de
Fri Feb 10 14:38:21 GMT 2023 

Package: sqop
Version: 0.27.2-1
Severity: normal
X-Debbugs-Cc: ametzler at bebt.de

I thought this should work, but it does not:
sqop verify gnutls28_3.7.8.orig.tar.xz.asc gnutls-3.7.8/debian/upstream/signing-key.asc < gnutls28_3.7.8.orig.tar.xz.asc
           No acceptable signatures found

One of the signing keys (462225C3B46F34879FC8496CD605848ED7E69871) is in gnutls-3.7.8/debian/upstream/signing-key.asc: 

ametzler at argenau:/tmp/GNUTLS$ gpg gnutls28_3.7.8.orig.tar.xz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'gnutls28_3.7.8.orig.tar.xz'
gpg: Signature made Di 27 Sep 2022 16:07:05 CEST
gpg:                using RSA key A6AB53A01D237A94F9EEC4D0412748A40AFCC2FB
gpg: Good signature from "Alexander Sosedkin <monk at unboiled.info>" [unknown]
gpg:                 aka "[jpeg image of size 984]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: E987 AB7F 7E89 6677 76D0  5B3B B0E9 DD20 B29F 1432
     Subkey fingerprint: A6AB 53A0 1D23 7A94 F9EE  C4D0 4127 48A4 0AFC C2FB
gpg: Signature made Di 27 Sep 2022 17:14:15 CEST
gpg:                using RSA key 462225C3B46F34879FC8496CD605848ED7E69871
gpg: Good signature from "Daiki Ueno <ueno at unixuser.org>" [undefined]
gpg:                 aka "Daiki Ueno <ueno at gnu.org>" [undefined]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4622 25C3 B46F 3487 9FC8  496C D605 848E D7E6 9871
gpg: Signature made Di 27 Sep 2022 17:36:07 CEST
gpg:                using EDDSA key 5D46CB0F763405A7053556F47A75A648B3F9220C
gpg: Good signature from "Zoltan Fridrich <zfridric at redhat.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5D46 CB0F 7634 05A7 0535  56F4 7A75 A648 B3F9 220C
ametzler at argenau:/tmp/GNUTLS$ gpg gnutls-3.7.8/debian/upstream/signing-key.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa3104 2008-05-04 [SC] [expires: 2028-04-29]
      1F42418905D8206AA754CCDC29EE58B996865171
uid           Nikos Mavrogiannopoulos <nmav at gnutls.org>
uid           Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>
uid           Nikos Mavrogiannopoulos <nmav at hushmail.com>
sub   rsa2048 2018-02-06 [S] [expires: 2028-02-04]
sub   rsa2048 2018-02-06 [E] [expires: 2028-02-04]
pub   rsa4096 2009-07-23 [SC] [expires: 2023-09-25]
      462225C3B46F34879FC8496CD605848ED7E69871
uid           Daiki Ueno <ueno at gnu.org>
uid           Daiki Ueno <ueno at unixuser.org>
sub   rsa4096 2010-02-04 [E]


(Same behavior on sid 0.27.3-1)
cu Andreas

More information about the Pkg-rust-maintainers mailing list