[Pkg-rust-maintainers] Bug#1070700: gpgv-from-sq: apt complains "Unknown response from gpgv to --assert-pubkey-algo check: gpgv: error: Error parsing command-line arguments"

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue May 7 13:57:26 BST 2024


Package: gpgv-from-sq
Version: 0.8.0-5
Control: affects -1 + apt
Control: forwarded -1 + https://gitlab.com/sequoia-pgp/sequoia-chameleon-gnupg/-/issues/68

As of 50e3fee26ae843a812b1c9ec8531946931773fd3, apt 2.7.13 started
trying to use --assert-pubkey-algo, which appears to have been hastily
added to GnuPG in 2.4.5 in response to https://dev.gnupg.org/T6946
(itself an outgrowth of https://bugs.debian.org/1042391)

It strikes me that a better approach would have been to simply have
GnuPG improve the default policy about what signatures are acceptable,
and bring them into alignment with the upcoming requirements for the
replacement of rfc 4880
(https://datatracker.ietf.org/doc/draft-ietf-openpgp-crypto-refresh/).

Anyway, the way that apt is testing for the presence of this option is
quite brittle: it first tests whether the option is there or not, by
trying to use it and inspecting the format of the string emitted on
stderr.  while gpgv-sq doesn't currently accept the option, its error
messages aren't the same as g10code's implementation of gpgv.

The result is that when gpgv-from-sq is installed, apt complains about
each configured repository:

     Unknown response from gpgv to --assert-pubkey-algo check: gpgv:   error: Error parsing command-line arguments"

So one of three things should happen:

- gpgv-sq could implement --assert-pubkey-algo, which afaict is fairly
  ill-defined.

- gpgv-sq could adjust its error messages to match the regex that apt is
  using during its test.

- apt should relax its test for --assert-pubkey-algo so that it is less
  brittle.

Even better, apt could adopt the `sopv` interface, which has a more
structured, simple, and formal definition, and then depend by default on
a sopv implementation that is already known to support the reasonable
policies described here.

         --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20240507/f3cec311/attachment.sig>


More information about the Pkg-rust-maintainers mailing list