Mon, Mar 18
Thu, Mar 7
Feb 28 2024
So after taking this down to where it was only patching status.h and mainproc.c to add a write_status_output() I realized the whole issue is down to status-codes.h not being updated automatically if you apply a patch to status.h in a released version.
Having looked at the build log again after applying the patch, I see the first test failing is
Feb 16 2024
Feb 13 2024
So I cherry-picked this onto 2.4.4 and I ended up with a failing build due to failed tests (it built fine without the patch)
Feb 10 2024
We check the actual used signature and the corresponding (sub)key. Whether you trust this key is a different thing and we are not able to check that. Note that the same subkey may be used with different primary keys. The whole point of gpgv is to that you pass a list of trusted keys - actually this makes this new option superfluous but in gpg it makes sense. It was easy to add it to gpgv, though.
Feb 5 2024
Do note there could be subkeys as well.
Jan 19 2024
I noticed the Debian bug and was about to answer but a feature request is also a good thing.
Jan 18 2024
For what it's worth when I filed the Debian bug I mistakenly believed min-rsa-key-length in gpg would do that but it only applies to de-vs compliance profile and is *silently* ignored otherwise.
Jan 5 2024
Jan 2 2024
Dec 29 2023
Bug is in 2.2, too.
I found that the warning is emitted when it tries to call keybox_compress.
It should not be called when it's READONLY (which gpgv specifies).
Nov 13 2023
Problem seems to be that there is no ~/trustedkeys.gpg file and that the fallback to the kbx file does not anymore work. I can replicate that with 2.40 and 2.4.4-beta.
Aug 13 2021
Jul 4 2019
Because we use dot-locking in GnuPG and copy-update-write for keyrings. Granted: For gpgv this is not required but the code is identical to the gpg code and adding new code does not make much sense. After all gpgv is a stripped down version of gpg I once wrote for Debian. I see your use case but tehre are other ways to do this and thus anthing here has low priority.
Jul 3 2019
out of curiosity, why does gpgv need the name of the file?
In that case, you can treat this ticket as a bug in the documentation, which still needs to be resolved.
We need random access and the name of the file. Thus a file descriptor is not sufficient.
Mar 7 2019
Applied to 2.2 and master. Thanks.
Mar 3 2019
Oct 22 2018
Oct 8 2018
Editor fault. The browser's editor is not like Emacs and here o my laptop the backspace key does not work as intended. I guess I was about to write ".. a back signature's usage flag".
what does "back signature's usage tool" mean? can we make an addition to the test suite that ensures that bad signatures will be rejected?
The fix was not fully correct because it considered a back signature's usage tool.
Jul 12 2018
Jul 4 2018
Fix will also go into 2.2.9
Jun 9 2018
Sep 13 2017
The new unified compliance checker was not initialized. Fixed in the 2.2 branch.
Sep 12 2017
Sep 9 2017
Aug 21 2017
Aug 15 2017
As part of switching debsig-verify from using --list-packets to gpg with --list-keys --with-colons and gpgv, it would be helpful to eventually be able to get the fingerprint instead of the keyid. This is needed because debsig-verify uses the keyid to select which one of its policy files it has to load, to apply for the subsequent actual verification of the .deb package.
Jun 19 2017
Fixed in 6e23416fe61d4130918f2d1bf6e1f98d102c4610.