[Pkg-rust-maintainers] Bug#1088973: uscan orig tarball signature verification fails with gpg-from-sq

Tue Dec 3 15:20:09 GMT 2024

Package: gpg-from-sq
Version: 0.11.2-6
Severity: important

Dear Maintainer,

installing gpg-from-sq makes some upstream tarball signature
verifications fail while using uscan.

1. Install gpg-from-sq

2. Clone breeze-grub repo [1]

3. Run uscan:
Newest version of breeze-grub on remote site is 6.2.4, local version is 6.2.3
 => Newer package available from:
        => https://download.kde.org/stable/plasma/6.2.4/breeze-grub-6.2.4.tar.xz
gpgv: Signature made Tue Nov 26 11:06:47 2024 +01:00
gpgv:                using RSA key E0A3EB202F8E57528E13E72FD7574483BB57B18D
gpgv: Can't check signature: No public key
uscan die: OpenPGP signature did not verify. at /usr/share/perl5/Devscripts/Uscan/Output.pm line 77.

4. Remove gpg-from-sq

5. Rerun uscan:
Newest version of breeze-grub on remote site is 6.2.4, local version is 6.2.3
 => Newer package available from:
        => https://download.kde.org/stable/plasma/6.2.4/breeze-grub-6.2.4.tar.xz
gpgv: Signature made Tue Nov 26 11:06:47 2024 +01:00
gpgv:                using RSA key E0A3EB202F8E57528E13E72FD7574483BB57B18D
gpgv: Good signature from "Jonathan Esk-Riddell <jr at jriddell.org>"
Successfully symlinked ../breeze-grub-6.2.4.tar.xz to ../breeze-grub_6.2.4.orig.tar.xz.

[1] https://salsa.debian.org/qt-kde-team/kde/breeze-grub.git

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'unstable-debug'), (500, 'testing'), (500, 'stable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.11.10-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg-from-sq depends on:
ii  gpg-sq  0.11.2-6

Versions of packages gpg-from-sq recommends:
ii  gpgv-from-sq  0.11.2-6

gpg-from-sq suggests no packages.

-- no debconf information