Page MenuHome GnuPG
Create Task
Maniphest T8122

Instruction to install https://repos.gnupg.org/deb/gnupg/trixie/ fail in 1st variant because of keybox use (Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg")
Closed, ResolvedPublic
Actions

Description

Tried to install new GnuPG package on a

Description:    Debian GNU/Linux 13 (trixie)
cat /etc/debian_version
13.3

system, using the instructions at the bottom at

https://repos.gnupg.org/deb/gnupg/trixie/

I end up with the keyring as intented, but sqv does not parse it.
So the installation instruction are broken.

The error message is:

#
LANG=C apt-get update
[..]
Get:4 https://repos.gnupg.org/deb/gnupg/trixie trixie InRelease [3761 B]
Err:4 https://repos.gnupg.org/deb/gnupg/trixie trixie InRelease
  Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg"  Caused by:     0: Reading "/usr/share/keyrings/gnupg-keyring.gpg": EOF     1: EOF
Reading package lists... Done
W: OpenPGP signature verification failed: https://repos.gnupg.org/deb/gnupg/trixie trixie InRelease: Sub-process /usr/bin/sqv returned an error code (1), error message is: Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg"  Caused by:     0: Reading "/usr/share/keyrings/gnupg-keyring.gpg": EOF     1: EOF
E: The repository 'https://repos.gnupg.org/deb/gnupg/trixie trixie InRelease' is not signed.

A test as a regular user shows the keyring is readable as expected:

#
 LANG=C gpg   --no-default-keyring   --keyring /usr/share/keyrings/gnupg-keyring.gpg -k
/usr/share/keyrings/gnupg-keyring.gpg
-------------------------------------
pub   ed25519 2025-07-08 [SC] [expires: 2035-07-14]
    32097B719B3745D6E61DDA1B85C45AE3E1A2B355
    Revocable by: 02F38DFF731FF97CB039A1DA549E695E905BA208
uid           [ unknown] GnuPG.org Package Signing Key <package-maintainers@gnupg.org>

Event Timeline

bernhard created this task.Mon, Feb 23, 3:47 PM

Trying to do the verification outside of apt-get:

curl -O https://repos.gnupg.org/deb/gnupg/trixie/dists/trixie/Release
curl -O https://repos.gnupg.org/deb/gnupg/trixie/dists/trixie/Release.gpg
sqv --verbose --keyring=/usr/share/keyrings/gnupg-keyring.gpg --signature-file=Release.gpg Release

Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg"

Caused by:
    0: Reading "/usr/share/keyrings/gnupg-keyring.gpg": EOF
    1: EOF


ls /etc/crypto-policies/back-ends/sequoia.config 
ls: cannot access '/etc/crypto-policies/back-ends/sequoia.config': No such file or directory
bernhard added a comment.Mon, Feb 23, 3:56 PM

A workaround I've found is to give the public key directly in /etc/apt/sources.list.d/gnupg.sources.

/!\ the leading spaces and the . dot in the newline are necessary,
see man sources.list in Debian.

Types: deb deb-src
URIs: https://repos.gnupg.org/deb/gnupg/trixie/
Suites: trixie
Components: main
Signed-By:
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 .
 mDMEaG0LdBYJKwYBBAHaRw8BAQdAJZTvJxjm4bFaxzJi7nBBYjJo9S+T9YfrSuZi
 +bMbZO+IjwQfFgoAOBYhBDIJe3GbN0XW5h3aG4XEWuPhorNVBQJobSdXFwyAEwLz
 jf9zH/l8sDmh2lSeaV6QW6IIAgcAAAoJEIXEWuPhorNVpl4A91y17iahfE55pD5s
 cNWKen032Dxfb0xhVjSRzUWXb0MBAOBr1LzWQrYYhOEYs6Rz0CdvopSZxtSQkjuB
 1UATw4QCtD1HbnVQRy5vcmcgUGFja2FnZSBTaWduaW5nIEtleSA8cGFja2FnZS1t
 YWludGFpbmVyc0BnbnVwZy5vcmc+iJkEExYKAEEWIQQyCXtxmzdF1uYd2huFxFrj
 4aKzVQUCaG0L8gIbAwUJEtaLgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
 CRCFxFrj4aKzVdbcAQDXaWr31chEG8AeB3HYoFlyyZIZRn4YmGoJC11nMg/vjAEA
 jyVpweZ9Sla9ypavagShtG4gq2uba6iguythl5ILkgk=
 =6J8e
 -----END PGP PUBLIC KEY BLOCK-----
bernhard updated the task description. (Show Details)Mon, Feb 23, 4:02 PM
werner added a subscriber: werner.Mon, Feb 23, 4:06 PM

I guess you need to report this to Debian as their new sqv tools seems to be broken.

werner added projects: Debian, Bug Report.Mon, Feb 23, 4:07 PM
bernhard added a comment.Mon, Feb 23, 5:53 PM

I guess you need to report this to Debian as their new sqv tools seems to be broken.

Done, with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128841

However those instructions to install on Debian Trixie are ours, and for GnuPG users.
So we should make them work until the defect with apt or sqv is fixed.

bernhard added a comment.EditedTue, Feb 24, 10:00 AM

I guess you need to report this to Debian

Got feedback from Debian (see link to the Debian report).
It is a defect in the first variant of our Trixie instructions.

Debian does not support the new keybox format, so it is a defect in the instructions.
The first variant of getting the GnuPG package signing pubkey creates a keybox, this can be seen here:
https://gnupg.org/blog/20250827-new-repository.html

sudo gpg \
  --no-default-keyring \
  --keyring /usr/share/keyrings/gnupg-keyring.gpg \
  --fetch-keys https://repos.gnupg.org/deb/gnupg/<distro>/gnupg-signing-key.gpg

[..]
gpg: keybox '/usr/share/keyrings/gnupg-keyring.gpg' created

The wget and curl variants do not need the dearmor, as

 curl https://repos.gnupg.org/deb/gnupg/trixie/gnupg-signing-key.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaG0LdBYJKwYBBAHaRw8BAQdAJZTvJxjm4bFaxzJi7nBBYjJo9S+T9YfrSuZi
+bMbZO+IjwQfFgoAOBYhBDIJe3GbN0XW5h3aG4XEWuPhorNVBQJobSdXFwyAEwLz
jf9zH/l8sDmh2lSeaV6QW6IIAgcAAAoJEIXEWuPhorNVpl4A91y17iahfE55pD5s
cNWKen032Dxfb0xhVjSRzUWXb0MBAOBr1LzWQrYYhOEYs6Rz0CdvopSZxtSQkjuB
1UATw4QCtD1HbnVQRy5vcmcgUGFja2FnZSBTaWduaW5nIEtleSA8cGFja2FnZS1t
YWludGFpbmVyc0BnbnVwZy5vcmc+iJkEExYKAEEWIQQyCXtxmzdF1uYd2huFxFrj
4aKzVQUCaG0L8gIbAwUJEtaLgAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK
CRCFxFrj4aKzVdbcAQDXaWr31chEG8AeB3HYoFlyyZIZRn4YmGoJC11nMg/vjAEA
jyVpweZ9Sla9ypavagShtG4gq2uba6iguythl5ILkgk=
=6J8e
-----END PGP PUBLIC KEY BLOCK-----

and trying a second variant:

curl https://repos.gnupg.org/deb/gnupg/trixie/gnupg-signing-key.gpg | gpg --dearmor --yes --output /usr/share/keyrings/gnupg-keyring.gpg

file /usr/share/keyrings/gnupg-keyring.gpg
/usr/share/keyrings/gnupg-keyring.gpg: OpenPGP Public Key Version 4, Created Tue Jul  8 12:13:40 2025, EdDSA; Signature; User ID; OpenPGP Certificate

works.

My guess is that the first variant of the trixie instructions never worked, maybe wasn't tested.

werner added a comment.Tue, Feb 24, 10:06 AM

IIRC, support for the keybox fomat was added on Debian's request with 2.1.7 in 2015 to gpgv. In fact gpgv was written on Debian's request (1.0.4 from fall 2000).

bernhard renamed this task from Instruction to install https://repos.gnupg.org/deb/gnupg/trixie/ fail for sqv Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg" to Instruction to install https://repos.gnupg.org/deb/gnupg/trixie/ fail in 1st variant because of keybox use (Error: Failed to parse keyring "/usr/share/keyrings/gnupg-keyring.gpg").Tue, Feb 24, 10:30 AM
bernhard added a comment.Tue, Feb 24, 10:57 AM

IIRC, support for the keybox fomat was added on Debian's request with 2.1.7 in 2015 to gpgv. In fact gpgv was written on Debian's request (1.0.4 from fall 2000).

Thanks for the additional context.

It seems Debian wants a portable format here now - which is somehow understandable - so that several tools can parse it.

werner assigned this task to m.eik.Tue, Feb 24, 2:10 PM
werner triaged this task as Low priority.
m.eik closed this task as Resolved.Tue, Feb 24, 3:36 PM

i have added this note to the template, currently updating the repos with new packages:

Note: On distributions that have replaced gpgv with sqv for the signature verification process in apt, this may result in an error during apt update later, because sqv doesn’t support the keybox format. In these cases or if you prefer it, you can also use wget, curl, or similar tools: