Mar 7 2019
Applied to 2.2 and master. Thanks.
Mar 3 2019
Oct 22 2018
Oct 8 2018
Editor fault. The browser's editor is not like Emacs and here o my laptop the backspace key does not work as intended. I guess I was about to write ".. a back signature's usage flag".
what does "back signature's usage tool" mean? can we make an addition to the test suite that ensures that bad signatures will be rejected?
The fix was not fully correct because it considered a back signature's usage tool.
Jul 12 2018
Jul 4 2018
Fix will also go into 2.2.9
Jun 9 2018
Sep 13 2017
The new unified compliance checker was not initialized. Fixed in the 2.2 branch.
Sep 12 2017
Sep 9 2017
Aug 21 2017
Aug 15 2017
As part of switching debsig-verify from using --list-packets to gpg with --list-keys --with-colons and gpgv, it would be helpful to eventually be able to get the fingerprint instead of the keyid. This is needed because debsig-verify uses the keyid to select which one of its policy files it has to load, to apply for the subsequent actual verification of the .deb package.
Jun 19 2017
Fixed in 6e23416fe61d4130918f2d1bf6e1f98d102c4610.
Jun 17 2017
Mar 30 2017
Feb 13 2017
I understand, So this is another special case like the one when a keyring has
permissions which don't allow it to be read.
Feb 4 2017
the reason "no public key" is confusing is because gpgv already knows that there
can be no public key. So the message that the naive user needs to see in this
case is "no keyring available".
If there is at least one keyring available, then saying something like "no
public key found in keyrings X and Y and Z" is reasonable. but if there are no
keyrings at all, the message should just be something like "no keyring found to
validate signature against".
Jan 25 2017
I agree on the first part. This needs to be fixed.
I do not understand wht you think "no public key" is the wrong message. We have
always used this message if the public key is not available for verification.
Do you think the text should be changed to "public key not found" ? That would
be a simple change in libgpg-error.
Libgpg-error has a GPG_ERR_MISSING_KEY but that code indicates wrong usage of
functions or bad data structures.