[Pkg-rust-maintainers] Bug#1118154: sqopv does not seem to support some signing keys

Ben Hutchings ben at decadent.org.uk
Wed Oct 15 15:55:46 BST 2025 

To support the bug title, I did a comparison of the different OpenPGP
implementations for all the upstream signed tags for src:linux.

Git normally wants to run gpg and expects any alternative to implement
the same options and output format, so I implemented wrapper scripts to
make it work with the different verifier commands all using
debian/upstream/signing-key.asc as the keyring.

In this case the keyring contains:

pub   rsa4096/38DBBDC86092693E 2011-09-23 [SC]
      647F28654894E3BD457199BE38DBBDC86092693E
uid                 [ unknown] Greg Kroah-Hartman (Linux kernel stable release signing key) <greg at kroah.com>
sub   rsa4096/F38153E276D54749 2011-09-23 [E]

pub   rsa2048/79BE3E4300411886 2011-09-20 [SC]
      ABAF11C65A2970B130ABE3C479BE3E4300411886
uid                 [ unknown] Linus Torvalds <torvalds at linux-foundation.org>
sub   rsa2048/88BCE80F012F54CA 2011-09-20 [E]

pub   rsa4096/E7BFC8EC95861109 2009-07-12 [SC]
      AC2B29BD34A6AFDDB3F68F35E7BFC8EC95861109
uid                 [ unknown] Ben Hutchings (DOB: 1977-01-11)
uid                 [ unknown] Ben Hutchings <ben at decadent.org.uk>
uid                 [ unknown] Ben Hutchings <benh at debian.org>
sub   rsa4096/CF0469521357C3D7 2009-07-12 [E]

pub   rsa4096/DEA66FF797772CDC 2012-02-09 [SC]
      E27E5D8A3403A2EF66873BBCDEA66FF797772CDC
uid                 [ unknown] Sasha Levin <sashal at kernel.org>
uid                 [ unknown] Sasha Levin <alexander.levin at microsoft.com>
uid                 [ unknown] Sasha Levin <alexander.levin at verizon.com>
uid                 [ unknown] Sasha Levin <sasha.levin at oracle.com>
sub   rsa4096/D0065D755EB09DBB 2012-02-09 [E]

The numbers of tags accepted per ID and verifier are:

ID                                               gpgv  rsopv  sqopv
-------------------------------------------------------------------
Greg Kroah-Hartman <gregkh at linuxfoundation.org>  3683   3553      0
Greg Kroah-Hartman <gregkh at suse.de>                36     36      0
Linus Torvalds <torvalds at linux-foundation.org>    644    452      0
Ben Hutchings <ben at decadent.org.uk>               137    137     68
Sasha Levin <sashal at kernel.org>                    41     41     41
Sasha Levin <alexander.levin at microsoft.com>         4      4      4
Sasha Levin <alexander.levin at verizon.com>          27      0      0
Sasha Levin <sasha.levin at oracle.com>               39      0      0

There is already some disagreement between gpgv and rsopv, but the large
majority of tags are accepted by both.  But sqopv rejects *all*
signatures made by Greg or Linus, and by some of Sasha's IDs.  (It also
rejects some of mine, but it appears that those are all v3 signatures
which I don't care about.)

Ben.

-- 
Ben Hutchings
Any smoothly functioning technology is indistinguishable
from a rigged demo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20251015/7375b4dd/attachment-0001.sig>

More information about the Pkg-rust-maintainers mailing list