FS#79998 - [python-aiohttp-openmetrics] gpg key outdated

Attached to Project: Arch Linux
Opened by YongMing Zhang (aimixsaka) - Wednesday, 18 October 2023, 12:51 GMT
Last edited by Daniel M. Capella (polyzen) - Thursday, 19 October 2023, 00:00 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Daniel M. Capella (polyzen)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

- upstream gpg key changed


Attached patch fixes existing gpg key.
   fix-source.patch (0.8 KiB)
This task depends upon

Closed by  Daniel M. Capella (polyzen)
Thursday, 19 October 2023, 00:00 GMT
Reason for closing:  Deferred
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/d evtools/-/issues/93
Comment by Xeonacid (Xeonacid) - Wednesday, 18 October 2023, 13:09 GMT
We'd better paste the origin upstream key link to verify.
Comment by loqs (loqs) - Wednesday, 18 October 2023, 13:20 GMT
The attached fix-source.patch is for an issue in virt-viewer?
Comment by YongMing Zhang (aimixsaka) - Wednesday, 18 October 2023, 13:23 GMT
Sorry for mistakenly uploaded the wrong patch.
Here is the correct patch :)

gpg key comes from "github user gpg": https://github.com/jelmer.gpg
   fix-gpg.patch (286.4 KiB)
Comment by loqs (loqs) - Wednesday, 18 October 2023, 13:35 GMT
The key from fix-gpg.patch resolves the issue. However if I run export-pkgbuild-keys at that point it cleans the key back to the state it was before the patch was applied. Is this an issue in devtools or with the key or something else?
Comment by YongMing Zhang (aimixsaka) - Wednesday, 18 October 2023, 14:07 GMT
in source file of export-pkgbuild-keys, has command like this:

gpg --output "$TEMPDIR/$key.asc" --armor --export --export-options export-minimal "$key" 2>/dev/null
...
mv "$TEMPDIR/$key.asc" "keys/pgp/$key.asc"

"--export-options export-minimal" means "removes all signatures except the most recent self-signature on each user ID"(from man gpg).
while patched key file in key/gpg/ contains all signatures from pub key, so in result it seems to be reversed.
(the github author seems signing the commit with a subkey other than "the most recent self-signature one")
(just my personal thought)
Comment by Felix Yan (felixonmars) - Wednesday, 18 October 2023, 16:25 GMT
Should be this case: https://gitlab.archlinux.org/archlinux/devtools/-/issues/93
Comment by Toolybird (Toolybird) - Wednesday, 18 October 2023, 20:31 GMT
Close this in favor of the devtools issue? Deferring to PM's better judgement.

Loading...