[Pkg-rust-maintainers] Bug#1128841: sqv does not parse keyring that works with gpgv

Bernhard E. Reiter bernhard at intevation.de
Mon Feb 23 16:49:25 GMT 2026 

Package: sqv
Version: 1.3.0-3+b2
Severity: normal
X-Debbugs-Cc: bernhard at intevation.de

Dear Maintainer,

the switch to sgv for apt changed how keyrings are parsed.

Ran into an example, where instructions from last August
do not work anymore. This looks like a regression.

Should I send a report to the apt package as well?

What I did to get into the situation:

Start with a pretty vanilla basic Trixie 13.3 installation:

Following the instuction at the bottom of
  https://repos.gnupg.org/deb/gnupg/trixie/

E.g. one variant:
 gpg \
  --no-default-keyring \
  --keyring /usr/share/keyrings/gnupg-keyring.gpg \
  --fetch-keys https://repos.gnupg.org/deb/gnupg/trixie/gnupg-signing-key.gpg

leads to /usr/share/keyrings/gnupg-keyring.gpg
which cannot be parsed by sqv and makes apt-upgrade and the instructions
fail with 

apt-update
[..]

Get:4 https://repos.gnupg.org/deb/gnupg/trixie trixie InRelease [3761 B]
Err:4 https://repos.gnupg.org/deb/gnupg/trixie trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg"  Caused by:     0: Reading "/usr/share/keyrings/gnupg-keyring.gpg": EOF     1: EOF

Expectation is that apt-update can work with that repository 
and its keyring.


Addition details:

A reproduction of the problem without apt:
curl -O https://repos.gnupg.org/deb/gnupg/trixie/dists/trixie/Release
curl -O https://repos.gnupg.org/deb/gnupg/trixie/dists/trixie/Release.gpg
sqv --verbose --keyring=/usr/share/keyrings/gnupg-keyring.gpg --signature-file=Release.gpg Release

Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg"

Caused by:
    0: Reading "/usr/share/keyrings/gnupg-keyring.gpg": EOF
    1: EOF


ls /etc/crypto-policies/back-ends/sequoia.config
ls: cannot access '/etc/crypto-policies/back-ends/sequoia.config': No such file or directory


The command in the instruction that writes the keyring uses the installed 
conservative gnupg 2.4.7-21+b3 Debian package. Documentation of sources.list 
and other examples indicate that Signed-By with such a keyring should work.

This is a regression from my point of view.

Here is the report towards the instructions
as GnuPG: https://dev.gnupg.org/T8122


Best Regards,
Bernhard

-- System Information:
Debian Release: 13.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.73+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sqv depends on:
ii  libc6           2.41-12+deb13u1
ii  libgcc-s1       14.2.0-19
ii  libgmp10        2:6.3.0+dfsg-3
ii  libhogweed6t64  3.10.1-1
ii  libnettle8t64   3.10.1-1

sqv recommends no packages.

sqv suggests no packages.

-- no debconf information

More information about the Pkg-rust-maintainers mailing list