[Pkg-rust-maintainers] Bug#1076358: gpgv-sq: fails to verify some good signatures with reason "Bad public key"

of1 of1+debreportbug at disroot.org
Mon Jul 15 00:52:00 BST 2024 

Package: gpgv-sq
Version: 0.9.0-1
Severity: important

Dear Maintainer,

following this problem resolution:
[SID - Unstable] apt getting an errsig with the microsoft repo
https://forums.debian.net/viewtopic.php?t=159398

gpgv-sq fails to verify some good signatures, at least Microsoft's.


How to reproduce the issue:

$ wget -qP /tmp/ https://packages.microsoft.com/keys/microsoft.asc https://packages.microsoft.com/repos/edge/dists/stable/InRelease
$ gpg -o /tmp/microsoft.gpg --dearmor /tmp/microsoft.asc
$ gpgv-sq --keyring /tmp/microsoft.gpg /tmp/InRelease
gpgv: Signature made Fri Jul 12 19:23:04 2024 +02:00
gpgv:                using RSA key EB3E94ADBE1229CF
gpgv: Can't check signature: Bad public key


The "normal" gpgv validates the signature:

$ gpgv --keyring /tmp/microsoft.gpg /tmp/InRelease
gpgv: Signature made Fri 12 Jul 2024 07:23:04 PM CEST
gpgv:                using RSA key EB3E94ADBE1229CF
gpgv: Good signature from "Microsoft (Release signing) <gpgsecurity at microsoft.com>"

$ gpg -vv --show-keys /tmp/microsoft.gpg
gpg: enabled compatibility flags:
# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
	version 4, algo 1, created 1446074508, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: EB3E94ADBE1229CF
# off=272 ctb=b4 tag=13 hlen=2 plen=55
:user ID packet: "Microsoft (Release signing) <gpgsecurity at microsoft.com>"
# off=329 ctb=89 tag=2 hlen=3 plen=309
:signature packet: algo 1, keyid EB3E94ADBE1229CF
	version 4, created 1446074508, md5len 0, sigclass 0x13
	digest algo 2, begin of digest 1a 9b
	hashed subpkt 2 len 4 (sig created 2015-10-28)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 3 (pref-hash-algos: 2 8 3)
	hashed subpkt 22 len 2 (pref-zip-algos: 2 1)
	hashed subpkt 30 len 1 (features: 01)
	hashed subpkt 23 len 1 (keyserver preferences: 80)
	subpkt 16 len 8 (issuer key ID EB3E94ADBE1229CF)
	data: [2047 bits]
pub   rsa2048 2015-10-28 [SC]
      BC528686B50D79E339D3721CEB3E94ADBE1229CF
uid                      Microsoft (Release signing) <gpgsecurity at microsoft.com>


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.9.9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpgv-sq depends on:
ii  libbz2-1.0      1.0.8-5.1
ii  libc6           2.38-14
ii  libgcc-s1       14.1.0-4
ii  libgmp10        2:6.3.0+dfsg-2+b1
ii  libhogweed6t64  3.10-1
ii  libnettle8t64   3.10-1
ii  libsqlite3-0    3.46.0-1
ii  libssl3t64      3.2.2-1

Versions of packages gpgv-sq recommends:
ii  sq  0.33.0-3

gpgv-sq suggests no packages.

-- no debconf information

More information about the Pkg-rust-maintainers mailing list