[Bug 344065] Re: dpkg-source uses wrong keyring
Raphaël Hertzog
hertzog at debian.org
Sat Nov 26 10:02:20 UTC 2011
This has been fixed in dpkg 1.15.1 when vendor customization of keyring
has been put in place.
** Changed in: dpkg (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/344065
Title:
dpkg-source uses wrong keyring
Status in “dpkg” package in Ubuntu:
Fix Released
Bug description:
Binary package hint: dpkg-dev
Package: dpkg-dev
Version: 1.14.20ubuntu6.1
Description: Ubuntu 8.10
The changelog for dpkg-dev contains this item:
dpkg (1.14.20ubuntu5) intrepid; urgency=low
* scripts/Dpkg/Source/Package.pm: Point gpg at
/usr/share/keyrings/ubuntu-archive-keyring.gpg if it exists.
and indeed, that's what the package does. Unfortunately, source
packages are not (usually? ever?) signed by the archive, so this
results in dpkg-source not finding the key.
cg2v at sphinx:~$ apt-get source coreutils
[...]
gpg: Signature made Thu 26 Jun 2008 08:23:34 PM EDT using DSA key ID 29982E5A
gpg: Can't check signature: public key not found
cg2v at sphinx:~$ gpg -q --verify --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --keyring /usr/share/keyrings/debian-keyring.gpg coreutils_6.10-6ubuntu1.dsc
gpg: Signature made Thu 26 Jun 2008 08:23:34 PM EDT using DSA key ID 29982E5A
gpg: Good signature from "Steve Langasek <vorlon at dodds.net>"
I believe this change should be reverted, or possibly modified to
include both keyrings if they are present, if that makes sense.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/344065/+subscriptions
More information about the foundations-bugs
mailing list